Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0372: LockerGoga

LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[1][2]

EnterpriseS0372MalwareObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

LockerGoga matters because ATT&CK identifies it as Windows ransomware associated with attacks on European companies, including industrial and manufacturing firms. The practical issue is not only malware execution; the related behaviors point to business interruption: data encryption, account access removal, shutdown/reboot activity, tool tampering, lateral file transfer, and ICS consequences such as loss of view, loss of control, and loss of productivity and revenue.

Executive priority

Treat this as a resilience and operational-continuity scenario. Leaders should ask whether ransomware response plans cover Windows endpoints and servers that support production, whether backups and account recovery can be executed under pressure, whether SOC visibility survives security-tool tampering, and whether IT/OT segmentation and manual operating procedures have been validated. For audit and risk owners, the decision value is evidence: prove that impact detection, recovery, privileged-access controls, and OT visibility are tested rather than assumed.

Technical view

ATT&CK provides no official detection text for LockerGoga, so defenders should validate coverage through the related techniques. For Windows environments, test visibility for high-volume file modification/encryption behavior, file deletion, shutdown or reboot commands, account lockout/deletion/permission manipulation, signed binary execution and certificate metadata, lateral transfer of tools over internal file-sharing paths, and disabling or modifying security tools. Where Windows systems interface with industrial or manufacturing operations, correlate endpoint events with OT visibility gaps, blocked Ethernet or Wi-Fi communications, and loss of operator view or control.

Likely telemetry

  • Windows endpoint process creation and command execution events
  • File creation, modification, deletion, rename, and abnormal encryption-rate indicators
  • Windows security events for account deletion, lockout, credential or permission changes
  • System shutdown and reboot logs
  • Code-signing, certificate, and executable metadata

Detection direction

  • Because MITRE provides no LockerGoga-specific detection guidance, build detections around the mapped impact, lateral movement, defense impairment, and code-signing behaviors rather than a single malware name.
  • Tune ransomware-impact analytics for rapid file changes while accounting for legitimate bulk operations such as backups, software deployment, migrations, and administrative scripts.
  • Correlate account-access changes, security-tool impairment, and shutdown/reboot activity with file encryption indicators to reduce false positives and improve incident severity decisions.
  • Validate whether signed executables are trusted only because they are signed; the Code Signing relationship makes certificate and signer context important.
  • Confirm coverage of internal lateral tool transfer paths; endpoint-only visibility may miss file movement across shares.

Mitigation priorities

  • Prioritize tested, recoverable backups and documented restore procedures for Windows systems and systems supporting operations.
  • Harden and monitor privileged and service accounts so account access removal or permission manipulation can be quickly detected and reversed.
  • Protect endpoint security and logging tools from disabling, tampering, or configuration changes, and monitor sensor health continuously.
  • Restrict and monitor internal file sharing and administrative transfer paths used for lateral tool transfer.
  • Use application control and code-signing validation carefully; do not treat a signature alone as proof of trust.
Analyst notes and limits

This take is based on ATT&CK S0372 LockerGoga, its official description, external references from Unit42 and CarbonBlack, and supplied ATT&CK relationships including FIN6 use and mapped enterprise/ICS techniques. The FIN6 relationship is recorded by ATT&CK, but this summary does not infer current activity or customer exposure.

ATT&CK does not provide official detection content, aliases, labels, or explicit tactics on the LockerGoga software object. Local telemetry, architecture, business process dependencies, and incident history are required to determine actual exposure and control effectiveness.

Official MITRE ATT&CK definition

LockerGoga

LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

7 rows
Domain ID Name Relationship / procedure
Enterprise T1070.004 File Deletion Sub-technique

LockerGoga has been observed deleting its original launcher after execution.CitationCarbonBlack LockerGoga 2019
Enterprise T1486 Data Encrypted for Impact

LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.CitationCarbonBlack LockerGoga 2019CitationUnit42 LockerGoga 2019CitationWired Lockergoga 2019
Enterprise T1529 System Shutdown/Reboot

LockerGoga has been observed shutting down infected systems.CitationWired Lockergoga 2019
Enterprise T1531 Account Access Removal

LockerGoga has been observed changing account passwords and logging off current users.CitationCarbonBlack LockerGoga 2019CitationUnit42 LockerGoga 2019
Enterprise T1685 Disable or Modify Tools

LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus.CitationWired Lockergoga 2019
Enterprise T1553.002 Code Signing Sub-technique

LockerGoga has been signed with stolen certificates in order to make it look more legitimate.CitationWired Lockergoga 2019
Enterprise T1570 Lateral Tool Transfer

LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating.CitationUnit42 LockerGoga 2019
Associated objects

Groups, software, and campaigns

Group Enterprise

G0037: FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Technique T1529: System Shutdown/Reboot Enterprise uses · Technique T1531: Account Access Removal Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Group G0037: FIN6 Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1570: Lateral Tool Transfer Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
bb305f34cd81f8b4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle bb305f34cd81…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Unit42 LockerGoga 2019

    Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.

    Open source URL
  2. [2]
    CarbonBlack LockerGoga 2019

    CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.

    Open source URL
  3. [3]
    mitre-attack S0372
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use