- Home
- Detectable Ransomware
- LockerGoga
Ransomware Research
LockerGoga Ransomware
LockerGoga is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on January 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Worker32.
Quick Facts
- Ransomware Family
- LockerGoga
- First Seen
- January 1, 2019
- Known Aliases
- Worker32
How LockerGoga Ransomware Works
Targeted Files
Encrypts every 512kb (0x80000 bytes) leer.txt location -> AppData\Roaming
File Encryption Patterns
LockerGoga modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..locked
Ransom Note and Payment Demands
After encrypting files, LockerGoga displays ransom notes demanding payment for file recovery:
README-NOW.txt
Ransom message:
notes/README-NOW.txt
Note locations:
EveryFolder
READ-ME-NOW.txt
Ransom message:
notes/READ-ME-NOW.txt
Note locations:
RootDirectory
README_LOCKED.txt
Ransom message:
notes/README_LOCKED.txt
Note locations:
Desktop
leer.txt
Ransom message:
notes/leer.txt
Command&Control.txt
Ransom message:
notes/Command&Control.txt
Technical Indicators
Associated Executable Files
The following executable files are associated with LockerGoga ransomware:
worker32
myfile.exe
bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f_wQkb8SOVnc.bin
svch0st.4553.exe
svch0st.5817.exe
svch0st.11077.exe
svchub.16016.exe
pchgdage
hvwfcsky
hvwfcsky1377.bin - Kopya.exe
hvwfcsky1377.bin.exe
hvwfcsky8521.exe
yxugwjud4180.exe
yxugwjud
LockerGoga ransomware
LockerGoga
LockerGoga ransomware.exe
LockerGoga.exe
yxugwjud6698.exe
tgytutrc
tgytutrc4486.exe
tgytutrc3026.exe
tgytutrc7876.exe
tgytutrc3128.exe
tgytutrc2183.exe
tgytutrc2858.exe
tgytutrc8190.exe
tgytutrc850.exe
tgytutrc9489.exe
tgytutrc8025.exe
tgytutrc3842.exe
tgytutrc6216.exe
tgytutrc1068.exe
tgytutrc1758.exe
locker-goga-ransomware
tgytutrc9440.exe
LockerGoga.bin
c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15 (1)
tgytutrc7290.exe
zzbdrimp
zzbdrimp2939.exe
CryptoLocker
encrypt
a la papa.exe
updater.exe
Updater.exe
e0c23318-030e-4ae9-80f0-43e9bfd4759c
Elastio Can Help You
Don't let LockerGoga ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This LockerGoga ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like LockerGoga.
Last updated: July 30, 2025