Kangaroo Ransomware Removal Guide

Do you know what Kangaroo Ransomware is?

Kangaroo Ransomware is a variant of Apocalypse Ransomware, so it is not at all surprising that it easily finds ways to enter computers illegally. Researchers have found that this infection enters computers by exploiting the vulnerability in Remote Desktop Protocol (RDP) in most cases; however, it is definitely not the only way it is disseminated. Even though Kangaroo Ransomware always enters computers without permission, it does not try to hide itself on the computer and work silently in the background. Instead, Kangaroo Ransomware opens a window when executed and starts encrypting users’ personal files after users click on the Copy and Continue button placed on this window next to Unique ID. It is evident that even though Kangaroo Ransomware is a new variant of a rather old ransomware infection, but it still has one and only goal – it seeks to obtain money from gullible users. Cyber criminals perfectly know that users will not make a payment willingly, so they have programmed Kangaroo Ransomware to encrypt files and lock the screen to give them the reason to transfer money. Our team of experts is strictly against making payments to cyber criminals because they know that the so-called Unlock-Password and the Kangaroo Decryption Software might not be sent to users even though they follow the decryption instructions sent to them and do what cyber criminals ask.

Research has revealed that the entrance of Kangaroo Ransomware will be followed by the encryption of files. Unfortunately, a bunch of files, except those located in the Windows folder and having .dat, .bat, .bin, .encrypted, .ini, .tmp, .lnk, .com, .msi, .sys, .dll, and .exe filename extensions, will be encrypted. You will see them having a new filename extension .crypted_file, for example, picture.jpg.crypted_file. There will be .txt files placed next to the locked data as well. Just like a window on Desktop opened by Kangaroo Ransomware, they will inform users that “Windows has encountered a critical problem.” Users are not told directly that there is a ransomware infection performing activities on their computers, so many of them believe that there is an issue that has to be fixed to unlock the screen and the personal data. In order to make users believe that there is a problem with the Windows OS, Kangaroo Ransomware also opens a window that looks like a genuine Windows warning message after every system restart. Do not believe any word written there and do not even bother sending the Unique ID provided to you to kangarooencryption@mail.ru because you will only receive instructions on how to make a payment to get the decryption software. Unfortunately, making a payment to cyber criminals might be the only way to unlock files because this ransomware infection also deletes Shadow Copies of files using the command cmd.exe /c vssadmin delete shadows /all /quiet to make sure that users do what they ask them to do. Even though the situation seems to be quite desperate and you are ready to transfer the required money, you should know that there are no guarantees that the decryption tool will be sent to you, so you should ask yourself whether those encrypted files are really so important before sending money.Kangaroo Ransomware Removal GuideKangaroo Ransomware screenshot
Scroll down for full removal instructions

Kangaroo Ransomware not only encrypts data, creates new .txt files on the system, and opens a screen-locking window. Specialists have also found that it applies modifications on the infected computer as well. For example, it makes copies of itself to %PROGRAMFILES%\Windows NT or %PROGRAMFILES(x86)%\Windows NT the second it sneaks onto the computer and is executed. Secondly, it creates Values in the Run registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (to be able to launch again after the reboot) and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. The only way to undo all those changes is to fully remove Kangaroo Ransomware, so you should rush to do that as soon as possible. You will be allowed to use your computer normally only if you get rid of it fully.

Since Kangaroo Ransomware is a serious computer infection, do not expect to erase it easily. What you will have to do first is to boot in Safe Mode with Networking. After doing that, you are free to use the manual removal instructions you will find below this article to get rid of this computer infection, or you can open Internet Explorer and download an automatic malware remover, such as SpyHunter. Either way, make sure you erase Kangaroo Ransomware fully from your PC despite the fact that your files will not be unlocked for you.

Delete Kangaroo Ransomware manually

Start Windows in Safe Mode with Networking

Windows 10

  1. Restart your PC.
  2. Hold the Shift key while selecting Power.
  3. Click Restart.
  4. Click Troubleshoot.
  5. Select Advanced options.
  6. Click Startup settings.
  7. Click Restart.
  8. Tap F5 to enable Safe Mode with Networking.

Windows 8/8.1

  1. Reboot your PC.
  2. Press and hold the Shift key at the login screen and click Power.
  3. Select Restart.
  4. Click Troubleshoot.
  5. Click Advanced options.
  6. Click Startup Settings.
  7. Click Restart.
  8. Press 5 on your keyboard.

Windows XP/Vista/7

  1. Start tapping F8 immediately after your PC is powered or restarted.
  2. Select Safe Mode with Networking from the menu using the arrow keys.
  3. Tap Enter.

Remove Kangaroo Ransomware

  1. Tap Win+E.
  2. Open %PROGRAMFILES%\Windows NT or %PROGRAMFILES(x86)%\Windows NT (copy and paste the directory in the URL bar and tap Enter).
  3. Delete the explorer.exe file.
  4. Locate and remove the malicious file you have recently downloaded and opened.
  5. Tap Win+R.
  6. Type regedit.exe in the box and click OK.
  7. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the Windows Explorer value (right-click on it and select Delete) having data C:\Program Files (x86)\Windows NT\explorer.exe or C:\Program Files\Windows NT\explorer.exe .
  8. Open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
  9. Right-click and delete LegalNoticeText.
  10. Reboot your PC.

In non-techie terms:

If you have fully removed Kangaroo Ransomware and can use your PC normally now, it does not mean that your system is clean. It might be very true that a great deal of other infections is working in the background and you do not know anything about them too. Therefore, it would be clever to scan your PC against other threats as well. Use a reputable scanner to implement this important task.