Skip links

Been hit by LockerGoga ransomware? A free fix is now out

If you’ve been hit by the LockerGoga ransomware, an international law enforcement effort has publicly released a tool to fix the problem.

LockerGoga is the Windows software nasty behind the 2019 infection at Norsk Hydro that shut down the Norwegian power and metals giant’s global network for a week and cost the company over $100m, not to mention the knock-on effects further down the supply chain.

Files with a ‘.locked’ extension are an indicator that LockerGoga has scrambled your documents, and can be restored without paying up, according to Bitdefender, which worked with Europol, Zürich law enforcement, and the NoMoreRansom Project on the now-available decryptor tool.

The security biz has also published a step-by-step guide [PDF] on how to use the decryptor on single PCs and networked computers.

In addition to pushing the decryptor tool, Zürich law enforcement released details about criminal proceedings against a miscreant who they accused of being part of a cybercrime gang that used LockerGoga and MegaCortext ransomware to infect computers used by more than 1,800 people and organizations in 71 countries, causing estimated damages totaling hundreds of millions of dollars.

The alleged perpetrator was arrested by Swiss authorities in October 2021 on suspicion of money laundering and data corruption. His arrest was part of a larger Europol- and European Union Agency for Criminal Justice Cooperation (Eurojust) effort that collared 12 suspected cybercriminals, and involved law enforcement from France, the Netherlands, Norway, Ukraine, the US, and Switzerland.

Since then, the Zürich police’s cyber team have been evaluating evidence seized during the suspect’s house search, and this investigation revealed “numerous private keys from ransomware attacks,” we’re told. 

These keys have helped some of the victim companies to recover their data previously encrypted by LockerGoga or MegaCortex ransomware, and also led to the release of the LockerGoga decryptor.

A similar tool to help MegaCortex victims decrypt their files will be released “soon,” according to Zürich law enforcement agencies.

MegaCortex, which also first appeared in 2019, includes a signed Windows executable as part of the payload and targets corporations, according to earlier research published by TrendMicro.

Meanwhile, this lucrative type of cybercrime shows no signs of slowing down with ransomware gangs stooping to new lows — hitting schools and hospitals, among other victims — in recent weeks. 

According to Verizon’s 2022 Data Breach Investigations Report released in May, ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. 

Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined, the report authors noted. ®