Kangaroo ransomware encrypts your files and locks you out of Windows

khushaartanveer@gmail.com' By: Khushaar Tanveer
2 minute read

We are all familiar with the  Fabiansomware, Esmeralda, and the Apocalypse ransomware. For those who are not, they are pieces of malicious code all constructed by singular a cybercriminal gang. And now, they have made a return and upped their game with another powerful bit of infection with the name ‘Kangaroo‘.

The Kangaroo ransomware is known to extort money from innocent victims. The approach used is an old yet an effective one. The ransomware has been affirmed to locks users out from their computer, making it inoperable in a bid to convince them to pay up. What makes this ransomware stand out from other crypto-malware variants is its fake legal notice.

Just like the DXXD ransomware, users have a notice thrown in their faces after they log in. Moreover, users are denied the privilege to start a Task Manager or access the Explorer.exe responsible for displaying the Windows UI. Then, users are given a ransom to regain access to their files and their personal space.

Though the screen locker can be disabled in Safe Mode or by pressing the ALT+F4 keys combination, for many casual computer users, this could prevent them from using their computer.

Kangaroo ransomware installation

The installation process of the ransomware is significantly different from other common approaches. Instead of mainstream exploit kits, cracks, compromised sites, or Trojans, Kangaroo ransomware is installed manually by hacking into RDP.

Developers use Remote Desktop to gain unauthorized access to a user’s computer and execute the infected file containing the ransomware. A screen is then shown that displays the victim’s unique ID and their encryption key.

By selecting copy and continue, users allow the ransomware to starting the encryption process of their personal data. The ransomware also appends the .crypted_file extension to an encrypted file’s name. After process completion, the ransomware shows a fake lock screen. It suggests that there is a critical problem with the computer and that the data was encrypted. It then provides instructions on how to contact the developer at kangarooencryption@mail.ru to restore the data.

How to remove the Kangaroo ScreenLocker

To regain access to their Windows desktop, users will need to disable the Kangaroo executable from running. To achieve this, the targeted user will need to boot the computer into Windows Safe Mode. Then, they will be granted access to their OS again. Once logged into Windows Safe Mode, they can run the msconfig.exe and disable the malware from running.


For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on TrustPilot.com.
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patended Technologies (requires upgrade).

Next up

Best Windows 10 antivirus software to use in 2018

By: Radu Tyrsina
7 minute read

Update – 2018 will soon come to an end and we already have a guide on what is the best antivirus you should get in […]

Continue Reading

These features are out for good with Windows 10 version 1809

iamsovy@gmail.com' By: Sovan Mandal
2 minute read

Microsoft is all set to launch its next big update, Windows 10 version 1809 in October. While that should be a nice piece of news […]

Continue Reading

Windows 10 18H2 builds no longer receive new features

By: Matthew Adams
3 minute read

The Windows 10 October 2018 Update (otherwise 18H2) rollout might now be two to three weeks away. For the last few months, new build previews […]

Continue Reading