Skip to main content

Home LockerGoga ransomware

LockerGoga ransomware

Also known as: CottleAkela

Category: Malware

Type: Ransomware

Platform: Windows

Variants: Ransom.Win32.LOCKERGOGA.THBOGAI, Ransom.Win32.LOCKERGOGA.AA, and Ransom.Win64.LOCKERGOGA.A

Damage potential: Data encryption, loss of important files, system performance issues, network connectivity problems, operational disruption, reputation damage, and financial loss.


LockerGoga is a ransomware strain that came into notoriety in 2019. Like other ransomware, it encrypts files on the victim’s computer or network, making them inaccessible. The attackers leave a ransom note demanding payment in exchange for a decryption key. LockerGoga mainly targets industrial firms, often causing severe disruption and financial loss. The ransomware uses instance-based encryption, which is different from most ransomware families.

Possible symptoms

The main symptom of a LockerGoga infection is file encryption. The ransomware encrypts files stored on desktops, laptops, and servers, making them inaccessible. Other symptoms include:

  • A ransom note in the desktop folder (README-NOW.txt or README_LOCKED.txt).
  • Changed file extensions (to .locked).
  • Changed user account passwords.
  • Antivirus alerts about an infection.
  • Unusually slow computer performance.
  • Increased CPU and disk activity.
  • Unusual network activity.
  • Internet connection issues.
  • Disabled antivirus software.

Sources of the infection

LockerGoga may spread in many ways, with attackers often using social engineering tactics to infect systems and devices. Let’s look at the most common ways LockerGoga spreads.

  • Phishing emails. Attackers may distribute LockerGoga through phishing emails or spear phishing attacks targeting employees.
  • Infected attachments. Employees may be sent spam emails with malicious attachments that automatically install LockerGoga when opened.
  • Infected external drives. LockerGoga ransomware may also spread via malware-infected USBs, external hard drives, or other removable media.
  • Drive-by downloads. Victims may unknowingly download LockerGoga by visiting compromised or malicious sites.
  • Malvertising. LockerGoga may spread through malicious ads. Then users click on them, they may unknowingly download LockerGoga onto their device.
  • Security vulnerabilities. Attackers may target unpatched security vulnerabilities in the network to gain access to the system and distribute LockerGoga


Ransomware attacks can be devastating for businesses, causing severe disruption and financial loss. Here’s how to protect networks and devices from LockerGoga ransomware:

  • Regularly back up files. Being infected with LockerGoga, like other ransomware types, may mean that you lose all your files. Having them backed up may help you limit the damage.
  • Keep systems up to date. Attackers look for security vulnerabilities as a way into the system. Install updates as soon as they’re available to patch up these vulnerabilities.
  • Run company-wide training. Educating employees about cybersecurity is crucial — and may help companies prevent ransomware attacks.
  • Use the principle of least privilege. Grant individuals the minimal level of access needed for their job. If the system is compromised, the attacker will have limited access.
  • Enable Threat Protection Pro. Threat Protection Pro is an advanced NordVPN feature that blocks malicious sites, intrusive web trackers, and annoying ads. Plus, it checks files for malware during download.


Removing LockerGoga from a company network can be complicated. If you suspect your network has been infected, consult a reliable specialist on the best action to take. At this time, experts are not aware of a way to decrypt files encrypted by LockerGoga. However, paying a ransom is not recommended because you’d be supporting an illegal activity without a guarantee of getting your files back.