Kangaroo Ransomware

Kangaroo Ransomware is an infection that, according to our research team, is a new variant of the infamous Apocalypse Ransomware. Also, it is similar to the Esmeralda Ransomware. Clearly, it is not a unique infection; however, that does not make much difference. Sure, we might know more about this malware, but the reality is that none of these infections can be overcome easily. Once they encrypt the files found on the targeted operating system, there is very little anyone can do. The two main options are paying the ransom requested by cyber criminals or losing the files altogether, and neither of these options is good. Unfortunately, there is a possibility that the ransom payment will be collected but the decryption software promised will not be offered for you. Needless to say, we do not recommend paying the ransom because that might result in the loss of your data and your money at the same time. Continue reading to learn more about this malware and how to remove Kangaroo Ransomware.

According to the information we have gathered, the malicious Kangaroo Ransomware is spread by exploiting the Remote Desktop Protocol. If the infection is executed on your operating system successfully, you face a pop-up that includes the name of the infection, your unique ID number, and an encryption key. Only if you click the “Copy and Continue” button does the ransomware start encrypting your personal files. Needless to say, this move is quite strange, and it is unlikely that many users will click a button that is clearly linked to a malicious infection. If you do, the ransomware quickly starts encrypting your personal files. Although Kangaroo Ransomware ignores the files in the Windows folder, and it evades all files that have .dat, .bat, .bin, .ini, .dll, .exe, .tmp, .lnk, .com, .encrypted, .msi, and .sys extensions, it can do a lot of damage. This infection is primarily targeted at your personal files, and you will not recover them be removing the ransomware itself. On top of that, this infection uses the “/c vssadmin delete shadows /all /quiet” command to delete Volume Shadow Copies, which are created if a system restore point is set up.

Once the encryption operation is complete, Kangaroo Ransomware adds the “.crypted_file” extension to all files. Unfortunately, you will not be able to check the encrypted files right away because of the screen-locking window that appears. This window displays the ransom note. You will face the same ransom note if your restart the computer (a screen with the note appears right before the login screen). If you unlock the PC, you will find it in the TXT file that is created for every file (e.g., file.jpg.Instructions_Data_Recovery.txt) as well. The purpose of this ransom note is to convince you that your Windows operating system has encountered a critical problem that has put your personal data at risk. Although it is stated that the files were encrypted to protect them, in reality, cyber criminals use false information to trick you into emailing them at kangarooencryption@mail.ru. If you disclose your personal ID (included in the note), they will quickly ask to pay a ransom, and that is extremely risky. The so-called “Unlock-Password” and “Kangaroo Decryption Software” tools might be fictitious, and you do not want to waste your savings on fictitious programs. If you install additional third-party software, you will need to delete it as well.

As you already know, Kangaroo Ransomware locks the computer to introduce you to a misleading ransom note. The good news is that you can circumvent the lockdown by rebooting into Safe Mode. If you have already made up your mind about installing automated malware detection and removal software – which is the option we recommend – you should reboot into Safe Mode with Networking. However, if you want to delete Kangaroo Ransomware manually, you can also reboot in Safe Mode. Once you do that, you have to eliminate the malicious .exe file, as well as its copy, which might be named “explorer.exe”. You also need to erase registry values associated with the ransomware. Although it is not the easiest of operations, it is not that difficult to erase the ransomware manually. If you are having any problems, leave a comment below, and we will address your issues as soon as we can.

Reboot your PC in Safe Mode

Windows 10:

1. Move to the left of the Taskbar and click the Windows logo.
2. Select Power and then click Restart while pressing the Shift key.
3. Select Troubleshooting to open a menu with more options.
4. Click Advanced options, then select Startup Settings, and, finally, click Restart.
5. When the menu with different boot options appears, select F4 for Safe Mode.
6. When the PC reboots, use the guide below to erase malware.

Windows 8/Windows 8.1:

1. Open the Charm bar (move to the bottom-right corner) and click Settings.
2. Repeat steps 2-6 shown in the guide above.

Windows Vista or Windows 7:

1. Restart the computer and start tapping the F8 key as soon as BIOS loads.
2. Using the arrow keys on the keyboard choose Safe Mode and then tap Enter.
3. When the PC reboots, use the guide below to erase malware.

Windows XP:

1. Restart the computer and start tapping the F8 key as soon as BIOS loads.
2. Using arrow keys on your keyboard choose Safe Mode and then tap Enter.
3. If the Windows is running in safe mode notification appears, click YES.
4. When the PC reboots, use the guide below to erase malware.

Kangaroo Ransomware Removal

1. Right-click and Delete the malicious launcher file (if you cannot find it, you should reboot in Safe Mode with Networking and download a malware scanner to find it for you).
2. Launch Explorer by tapping Win+E keys on the keyboard.
3. Enter %PROGRAMFILES%\Windows NT (or %PROGRAMFILES(x86)%\Windows NT) into the bar at the top.
4. Right-click and Delete the file named explorer.exe (this is the copy of the original launcher, and it might be named differently).
5. Launch RUN by tapping Win+R keys on the keyboard.
6. To access Registry Editor, type regedit.exe and click OK.
7. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
8. Right-click and Delete the value named Windows Explorer (check if the value data represents the malicious .exe file first).
9. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
10. Right-click and Delete the value named LegalNoticeText (the value data should represent the ransom note).