LockerGoga ransomware virus – Information – Protection/Removal

What is LockerGoga ransomware?

LockerGoga ransomware is a malware that created in order to encrypt files stored on system disks. It hijack a whole machine or its data and demand a ransom in order to unlock (decrypt) them. LockerGoga ransomware appends the locked!? extension (locked) to encrypted file names. This article will provide you a brief summary of information related to LockerGoga ransomware and how to remove ransomware, how to restore encrypted files and how to protect computer from ransomware.

The developers of the LockerGoga ransomware virus have a strong financial motive to infect as many computers as possible. The files that will be encrypted include the following file extensions:

.blob, .xbplate, .odp, .dazip, .wpl, .yml, .x, .bsa, .big, .raw, .wm, .2bp, .odc, .wpd, .xlsm, .wdb, .xlsm, .syncdb, .hkx, .psd, .hkdb, .t13, .r3d, .wn, .pdd, .xx, .wbd, .hvpl, .zi, .js, .m2, .srw, .asset, .wp6, .pfx, .wmd, .wpt, .xlsx, .wbk, .zip, .mov, .tax, .iwd, .wotreplay, .wp, .pptx, .orf, .dba, .psk, .wpg, .bc7, .vdf, .svg, .lrf, .pst, .xpm, .qic, .zif, .vpk, .wmv, .sav, .xls, .erf, .flv, .fos, .xdl, .upk, .1, .xbdoc, .dcr, .apk, .layout, .forge, .wri, .ibank, .avi, .wb2, .odm, .x3f, .xls, .ws, .srf, .ltx, .map, .p7b, .kdc, .rofl, .xar, .sie, .esm, .zdc, .p12, .iwi, .mp4, .litemod, .mef, .css, .kf, .xlsx, .re4, .wsc, .doc, .wpe, .w3x, .nrw, .3fr, .rwl, .rim, .wire, .wmo, .wps, .bkf, .d3dbsp, .wpa, .slm, .lbf, .bc6, .rb, .jpg, .icxs, .wps, .xmmap, .wsh, .pem, .3dm, .pkpass, .arch00, .cas, .crt, .m4a, .epk, .rar, .ai, .tor, .zabw, .vtf, .docx, .pptm, .desc, .7z, .x3f, .lvl, .webdoc, .zw, .vfs0, .das, .sum, .db0, .sr2, .wbm, .ff, .mpqge, .ncf, .wma, .3ds, .mdb, .cfr, .jpeg, .zdb, .mcmeta, .wgz, .pak, .xld, .wbz, .crw, .pdf, .fpk, .sb, .x3d, .mdbackup, .xyp, .bar, .vcf, .dwg, .bay, .odb, .wbc, .z3d, .xlgc, .ptx, .dmp, .itm, .vpp_pc, .t12, wallet, .mdf, .sidn, .eps, .docm, .wsd, .mrwref, .rw2, .itdb, .menu, .z, .cr2, .raf, .odt, .xmind, .cer, .xml, .dng, .ysp, .sis, .rgss3a, .xxx, .wp4, .accdb, .0, .py, .itl, .gho, .wp7, .mlx, .wpb, .wcf, .cdr, .bik, .1st, .der, .arw, .bkp, .dxg, .wbmp, .mddata, .xwp, .png, .kdb, .m3u, .xlk, .xdb, .xy3, .ntl, .wp5, .xf, .wot, .ybk, .wpd, .ods, .wma, .webp, .wmv, .xlsb, .wpw, .txt, .xyw, .y, .sql

Once the encryption process is finished, it will create a ransom note named “README-NOW.txt” offering decrypt all users documents, photos and music if a payment is made. An example of the ransomnote is:

Greetings!

There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.

Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore the data.
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.
will lead to irreversible destruction of your data.

To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).

We exclusively have decryption software for your situation

DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.

To get information on the price of the decoder contact us at:
CottleAkela@protonmail.com;QyavauZehyco1994@o2.pl
The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security

Instructions that is shown below, will help you to remove LockerGoga ransomware virus as well as restore encrypted files stored on your computer drives.

Table of contents

1. How to remove LockerGoga ransomware virus
2. How to decrypt locked!? files
3. How to restore locked!? files
4. How to protect your machine from LockerGoga ransomware?
5. Finish words

How to remove LockerGoga ransomware virus

Before you start the procedure of restoring documents, photos and music that has been encrypted, make sure LockerGoga ransomware virus is not running. Firstly, you need to get rid of this virus permanently. Luckily, there are several malicious software removal utilities which will effectively detect and get rid of LockerGoga ransomware and other crypto virus malicious software from your machine.

Run Zemana Anti-malware to remove LockerGoga ransomware

Zemana Anti-malware highly recommended, because it can detect security threats such LockerGoga ransomware virus and other malicious software that most ‘classic’ antivirus applications fail to pick up on. Moreover, if you have any LockerGoga ransomware removal problems which cannot be fixed by this tool automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.

Please go to the link below to download Zemana. Save it on your Desktop.

Once the download is finished, close all apps and windows on your PC. Double-click the install file named Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up like below, click the “Yes” button.

It will open the “Setup wizard” which will help you install Zemana on your computer. Follow the prompts and do not make any changes to default settings.

Once installation is done successfully, Zemana will automatically start and you can see its main screen as displayed in the figure below.

Now click the “Scan” button to begin checking your personal computer for the LockerGoga ransomware virus and other kinds of potential threats such as malware. While the Zemana AntiMalware (ZAM) tool is scanning, you may see how many objects it has identified as being infected by malicious software.

As the scanning ends, you can check all items found on your machine. All detected items will be marked. You can get rid of them all by simply click “Next” button. The Zemana Free will delete LockerGoga ransomware virus and other malware and add items to the Quarantine. When the cleaning procedure is done, you may be prompted to reboot the PC system.

How to delete LockerGoga ransomware with MalwareBytes

We advise using the MalwareBytes Anti Malware. You can download and install MalwareBytes AntiMalware (MBAM) to scan for and remove LockerGoga ransomware virus from your machine. When installed and updated, this free malicious software remover automatically finds and deletes all threats exist on the PC.

Visit the page linked below to download the latest version of MalwareBytes Free for MS Windows. Save it on your Desktop.

Once the downloading process is complete, close all software and windows on your system. Double-click the install file named mb3-setup. If the “User Account Control” prompt pops up as shown below, click the “Yes” button.

It will open the “Setup wizard” which will help you install MalwareBytes Anti Malware on your computer. Follow the prompts and don’t make any changes to default settings.

Once installation is done successfully, click Finish button. MalwareBytes Free will automatically start and you can see its main screen as shown below.

Now click the “Scan Now” button . MalwareBytes program will scan through the whole PC system for the LockerGoga ransomware virus and other security threats. This task may take some time, so please be patient.

When the scan get finished, MalwareBytes AntiMalware will show a list of all items detected by the scan. Review the results once the tool has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Quarantine Selected” button. The MalwareBytes will remove LockerGoga ransomware virus related files, folders and registry keys and add threats to the Quarantine. Once the process is complete, you may be prompted to reboot the computer.

We recommend you look at the following video, which completely explains the process of using the MalwareBytes to remove adware, hijacker and other malicious software.

Remove LockerGoga ransomware virus with KVRT

KVRT is a free removal tool that can check your personal computer for a wide range of security threats like the LockerGoga ransomware as well as other malicious software. It will perform a deep scan of your machine including hard drives and MS Windows registry. When a malware is detected, it will help you to remove all detected threats from your system by a simple click.

Download Kaspersky virus removal tool (KVRT) on your computer from the following link.

When downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen like below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to start checking your computer for the LockerGoga ransomware and other trojans and harmful apps. This process can take some time, so please be patient.

After the system scan is done, Kaspersky virus removal tool will show you the results as shown on the image below.

In order to delete all threats, simply click on Continue to start a cleaning task.

How to decrypt locked!? files

The LockerGoga ransomware virus uses a hybrid AES + RSA encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the LockerGoga ransomware virus entire amount requested – the only method to try to get the decryption key and decrypt all your files.

If your documents, photos and music have been encrypted by the LockerGoga ransomware virus, We suggests: do not to pay the ransom. If this malware make money for its creators, then your payment will only increase attacks against you. Of course, decryption without the private key is not possible, but that does not mean that the LockerGoga ransomware must seriously disrupt your live.

Currently there is no available way to decrypt locked!? files, but you have a chance to restore encrypted photos, documents and music for free.

How to restore locked!? files

In some cases, you can restore files encrypted by LockerGoga ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.

Use shadow copies to recover locked!? files

A free utility named ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore locked!? photos, documents and music encrypted by the LockerGoga ransomware virus from Shadow Copies for free.

Click the link below to download ShadowExplorer. Save it on your Windows desktop.

Once the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.

Double click ShadowExplorerPortable to start it. You will see the a window as shown on the screen below.

In top left corner, choose a Drive where encrypted photos, documents and music are stored and a latest restore point as displayed in the following example (1 – drive, 2 – restore point).

On right panel look for a file that you want to recover, right click to it and select Export as shown below.

Run PhotoRec to recover locked!? files

Before a file is encrypted, the LockerGoga ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file recover apps like PhotoRec.

Download PhotoRec from the link below.

When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.

Double click on qphotorec_win to run PhotoRec for Windows. It will display a screen as displayed on the screen below.

Select a drive to recover as displayed in the figure below.

You will see a list of available partitions. Select a partition that holds encrypted files as shown on the image below.

Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is done, click OK button.

Next, click Browse button to select where recovered photos, documents and music should be written, then click Search.

Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the restore is finished, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed in the figure below.

All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.

How to protect your machine from LockerGoga ransomware?

Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert.

Use HitmanPro.Alert to protect your system from LockerGoga ransomware

All-in-all, HitmanPro.Alert is a fantastic utility to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from MS Windows XP to Windows 10.

Download HitmanPro Alert on your MS Windows Desktop by clicking on the link below.

Once the download is complete, open the directory in which you saved it. You will see an icon like below.

Double click the HitmanPro.Alert desktop icon. After the utility is started, you’ll be displayed a window where you can select a level of protection, as displayed on the image below.

Now press the Install button to activate the protection.

Finish words

Now your machine should be free of the LockerGoga ransomware. Uninstall KVRT and MalwareBytes AntiMalware. We advise that you keep Zemana (to periodically scan your PC system for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.

If you are still having problems while trying to remove LockerGoga ransomware virus from your system, then ask for help here.