Although BitKangoroo is still in development, the ransomware erases users’ files if they don’t pay the ransom in time.
The malware doesn’t look like a project of an experienced developer and currently it is capable of encrypting files located in the Desktop folder only. However, considering its ability to delete users’ files, BitKangoroo has the potential to become a very dangerous threat in future.
As soon as the virus enters the PC, it starts encrypting user’s files using AES-256 encryption and appends the .bitkangoroo extension to each of the affected files. When the process is completed, a ransom message shows up, informing the victim that their files have been encrypted and 1 Bitcoin should be paid to attackers for releasing the data.
In addition, the message warns that one file will be deleted hourly until the ransom has been paid, and a countdown is displayed on the PC monitor. After deleting the encrypted file, BitKangoroo sets the timer to 60 minutes again.
In fact, BitKangoroo is not the first ransomware family which is capable of deleting user’s data if a payment wasn’t made. However, the previous threats gave victims a longer period of time before proceeding to such action.
Nevertheless, the good news here is that the malware’s encryption has already been cracked and a free decryption tool, named BitKangarooDecrypter, has been released.
Unfortunately, the malware creators revealed a code which can delete all of the encrypted files in case the victim enters the wrong decryption key (a warning message is displayed when the user clicks on the Decrypt my files button), however, the code isn’t working and the ransomware can’t erase the user’s data.
The message displayed by BitKangoroo ransomware also includes a Bitcoin address informing the victims where they should send the ransom payment to, as well as giving them an opportunity for contacting the malware creators via email. Currently, the address is firstname.lastname@example.org.