The BitKangoroo ransomware virus encrypts sensitive user data upon infection, all affected data is marked with the .bitkangoroo extension. The malware is also able to inflict damage to the Windows operating system and cause performance issues if it is not deleted. The hackers behind it extort the victims with a large ransomware fee (1718 US Dollars) payable in the Bitcoin digital currency. Users can remove the virus by:
You can then follow the steps below to restore your files.
How Can BitKangoroo Virus Infiltrate the PC?
The BitKangoroo ransomware virus can be distributed via different infection methods. The limited number of collected samples does not give a clear indication of the main strategy. This means that the hackers probably use some of the most popular methods:
- Email Spam Campaigns – Hackers coordinate spam email campaigns that may carry the BitKangoroo ransomware virus payload either as an attachment, malicious link or infected document script.
- Infected Documents – In the last few months computer criminals started to create malicious office documents. They are made to appear as files of user interest. When the targets them a notification prompt appears that asks them to enable the built-in macros (scripts). If this is done the virus payload is downloaded and executed on the host system.
- Infected Software Installers – Hackers can bundle popular software installers with the BitKangoroo ransomware virus with the intent of masquerading them as legitimate copies. This includes applications, games, utilities and patches.
- Hacker-Controlled Sites and P2P Networks – The BitKangoroo ransomware virus can be distributed on hacker-controlled sites and P2P networks like BitTorrent.
- Payload Drop – Prior BitKangoroo ransomware virus infections can cause the BitKangoroo ransomware virus delivery.
- Direct Hacker Attacks – Running older software versions can cause a BitKangoroo ransomware virus infections as the hackers use automated vulnerability testing frameworks that can lead to a virus infection.
It has been revealed that the virus is being distributed as a single binary file named BitKangoroo.exe, bitkangoroo.exe or IEAgent.exe. Based on this information we can conclude that the hackers have made virus copies that pose as Internet Explorer program files, executables or installers.
BitKangoroo Virus – Ransomware Features
Once the BitKangoroo ransomware virus has successfully infiltrated the host it places itself in the following system location: %UserProfile%\AppData\Roaming\IEAgent.exe. This malware employs a dangerous encryption engine with the AES-256 cipher which is able to process a large quantity of sensitive user files. Like other similar threats it uses a built-in list that can be modified by the hackers according to their predefined targets. In its current form the BitKangoroo ransomware virus is able to encrypt data such as: documents, photos, music, videos, archives, configuration files, databases and etc.
All affected files are renamed with the .bitkangoroo extension. Once this is done the virus enforces a lockscreen that effectively blocks all ordinary computer interaction. It reads the following message:
Your desktop file have been encrypted.
To unlock them, pay 1 BTC to the following address…
Every hour you wait to pay, I’ll delete one of them.
Time remaining: 40:13
[Decrypt my files] Once you have paid, send the following email adding your bitcoin address:
Click me to write the email!
From this message we can conclude the following facts about the BitKangoroo ransomware virus:
- The ransomware message appears to copy templates used by previously known viruses. This means that the criminal operators may have taken code from other viruses and implemented it in the BitKangoroo ransomware virus.
- The requested ransomware sum is one Bitcoin. At today’s conversion rate this equals to 1744 US Dollars.
- Only a Bitcoin address is supplied. The victims can press a button to write an email to the hackers but it is not displayed in plaintext. The lack of a dedicated payment gateway may mean that a future version of the BitKangoroo ransomware virus can add various hacker “support” options.
- A time limit is enforced on the victims to further extort them.
NOTE: At the moment the BitKangoroo ransomware virus is currently under development. The security researchers stated that the captured samples encrypt the files located on the users Desktop. In addition if the victims enter a non-working code then all encrypted files are deleted.
BitKangoroo Ransomware Virus Removal
Once you’re done with the removal process, there are some alternative data recovery solutions may help to restore sensitive .bitkangoroo files. OK, let’s begin..
STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.
- 1) Hit WIN Key + R
- 2) A Run window will appear. In it, write “msconfig” and then press Enter
3) A Configuration box shall appear. In it Choose the tab named “Boot”
4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
5) Apply -> OK
Or check our video guide – “How to start PC in Safe Mode with Networking”
STEP II: Show Hidden Files
- 1) Open My Computer/This PC
2) Windows 7
- – Click on “Organize” button
– Select “Folder and search options”
– Select the “View” tab
– Go under “Hidden files and folders” and mark “Show hidden files and folders” option
3) Windows 8/ 10
- – Open “View” tab
– Mark “Hidden items” option
4) Click “Apply” and then “OK” button
STEP III: Enter Windows Task Manager and Stop Malicious Processes
- 1) Hit the following key combination: CTRL+SHIFT+ESC
2) Get over to “Processes”
3) When you find suspicious process right click on it and select “Open File Location”
4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process”
5) Next you should go folder where the malicious file is located and delete it
STEP IV: Remove Completely BitKangoroo Ransomware Using SpyHunter Anti-Malware Tool
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
STEP V: Repair Windows Registry
- 1) Again type simultaneously the Windows Button + R key combination
2) In the box, write “regedit”(without the inverted commas) and hit Enter
3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
STEP VI: Recover Encrypted Files
- 1) Use present backups
- 2) Use professional data recovery software
- – Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
- 3) Using System Restore Point
- – Hit WIN Key
– Select “Open System Restore” and follow the steps
- 4) Restore your personal files using File History
- – Hit WIN Key
– Type “restore your files” in the search box
– Select “Restore your files with File History”
– Choose a folder or type the name of the file in the search bar
- – Hit the “Restore” button
STEP VII: Preventive Security Measures
- 1) Enable and properly configure your Firewall.
2) Install and maintain reliable anti-malware software.
3) Secure your web browser.
4) Check regularly for available software updates and apply them.
5) Disable macros in Office documents.
6) Use strong passwords.
7) Don’t open attachments or click on links unless you’re certain they’re safe.
8) Backup regularly your data.