The cybercriminal gang behind the notorious Fabiansomware, Esmeralda and the Apocalypse ransomware pieces have recently added one more threat to their artillery – the Kangaroo ransomware.
However, Kangaroo differentiates from the majority of ransomware infection with a couple of its new features. First, it uses a legal notice as a ransom note, which is displayed right before the victims could log in to Windows. In this way, a victim must see the note before they are able to log in. Second, the ransomware terminates the Explorer process when started and prevents Task Manager from launching and this it locks its victims out of Windows until they pay the ransom sum demanded or remove the infection. This screenlocker can be disabled by pressing ALT+F4 or in Safe Mode but many non-professional users are still prevented from using their machines.
Another thing which Kangaroo stands out with is the way it is installed. Unlike most ransomware threats, which are propagated via Exploit Kits (EKs), spam campaigns, cracks, compromised sites, Trojans, etc., Kangaroo is installed manually by its developers. They hack into their targets` computers using Remote Desktop and execute the ransomware. Then, a screen containing the victims` unique IDs and their encryption keys. This information is then copied to the Windows clipboard so that the hackers could save it.
After that, Kangaroo starts the encryption process. It appends the “.crypted_file” extension at the end of each locked file`s name. One more interesting thing this ransomware does it creating an individual ransom note for each file it encrypted. These notes are in the format of filename.Instructions_Data_Recovery.txt. For instance, if the encrypted file is named “picture.jpg”, its ransom note will be named “picture.jpg.Instructions_Data_Recovery.txt.”
Once the encryption process is complete, Kangaroo displays a face lock screen, stating that there is a critical problem with the victims` computers and that their data is encrypted. Also, Kangaroo provides an email address – firstname.lastname@example.org – via which the victims should get in touch with the hackers and receive instructions on how to retrieve their data.
Moreover, Kangaroo configures the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “LegalNoticeText” registry value that shows the victims a legal notice which they must read before being able to login to Windows.
Unfortunately, at the moment a free decryptor for the Kangaroo locked files is not available.