Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

lockergoga

Also known aslockergoga

LockerGoga is a ransomware strain linked to a cybercriminal group administered by Volodymyr Viktorovich Tymoshchuk (aliases: deadforz, Boba, msfv, farnetwork), a Ukrainian national currently wanted by U.S. and European authorities. LockerGoga was used in targeted ransomware attacks against over 250 companies in the United States and hundreds more globally, including blue-chip American companies, healthcare institutions, and large foreign industrial firms. The attacks caused millions of dollars in damages, including ransom payments and operational disruptions. LockerGoga operations involved customizing ransomware executables and decryption keys for each victim, with ransom demands in exchange for decryption tools. The group also administered other ransomware strains, notably MegaCortex and Nefilim, and operated an affiliate model, providing ransomware code to affiliates in exchange for a share of ransom proceeds. Law enforcement actions have led to the release of decryption keys and the arrest of some affiliates, but Tymoshchuk remains at large. There is no direct evidence of nation-state sponsorship; the group is financially motivated. Known sub-groups or closely linked operations include MegaCortex and Nefilim ransomware campaigns.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
Dec 23, 2025
INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guilty

LockerGoga is associated with ransomware operations targeting companies, with activities managed by individuals such as Tymoshchuk.

Read more
bleeping computerNews
Dec 22, 2025
Ukrainian hacker admits affiliate role in Nefilim ransomware gang

LockerGoga is associated with ransomware attacks that breached hundreds of companies worldwide, resulting in millions of dollars in damages.

Read more
hackreadNews
Dec 22, 2025
Ukrainian National Pleads Guilty in Nefilim Ransomware Conspiracy

LockerGoga is a ransomware strain linked to actors involved in the Nefilim group, used in attacks against corporate networks for extortion.

Read more
data breaches netNews
Sep 9, 2025
“LockerGoga,” “MegaCortex,” and “Nefilim” Ransomware Administrator Charged with Ransomware Attacks

LockerGoga is a ransomware group responsible for attacks on hundreds of organizations globally, causing significant operational disruption and financial losses. The group customized ransomware payloads for each victim and demanded ransom for decryption.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.