Romanian cybersecurity company Bitdefender has released a free decryptor to help victims of LockerGoga ransomware recover their files without paying a ransom.

The free tool can be downloaded from Bitdefender servers and allows you to recover encrypted files by following the instructions in this user guide [PDF].

Bitdefender claims that the decryptor was developed in cooperation with law enforcement agencies, including Europol, the NoMoreRansom project, the Zürich Public Prosecutor’s Office and the Zürich Cantonal Police.

For a working decryptor to be created, researchers usually need to identify a flaw in the cryptography used by the ransomware encryptor.

However, in this case the LockerGoga operators were discontinued in October 2021which may have given law enforcement access to the master private keys used to decrypt the victims’ encryption keys.

How to decrypt your files

Files encrypted by LockerGoga will have the filename extension “.locked” and cannot be opened with regular software.

Bitdefender’s tool offers to scan your entire file system or a single folder, locate all encrypted files and perform decryption automatically.

For this to work, the computer must be connected to the Internet and the ransom notes generated by the ransomware during encryption must be in the original paths.

Bitdefender says the decryptor can work either on a single machine or on entire networks encrypted by LockerGoga.

Note that the decryption process may be interrupted or may not always work as expected, and you may end up with corrupted files. For this reason, the decryptor has the “backup files” option checked by default, and users are recommended to leave this setting enabled.

Who was LockerGoga

The LockerGoga ransomware operation was launched in January 2019, hitting high-profile targets such as the French engineering company Altran Technologies and the Norwegian aluminum giant Norsk Hydro.

Along with Ryuk and MegaCortex, LockerGoga has been implicated in ransomware attacks against at least 1,800 organizations worldwide.

In October 2021, twelve people were arrested in an international law enforcement operation for the deployment of various strains of ransomware, including LockerGoga.

“Its operator, who has been detained since October 2021 pending trial, is part of a large cybercrime network that has used LockerGoga and MegaCortext ransomware to infect more than 1,800 people and institutions in 71 countries and cause damage estimated at $104 million,” Bitdefender explains in the decryptor’s announcement.

Since the operator’s arrest, threat actors have stopped using LockerGoga ransomware, and the ransomware’s source code has never been released.

Therefore, this decryptor will mainly be for former victims who refused to pay the ransom and waited to get their files back for free.