BitKangoroo Ransomware

Posted: May 9, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	38

First Seen:	May 9, 2017
OS(es) Affected:	Windows

The BitKangoroo Ransomware is a Trojan that encrypts your files to stop you from opening them, an attack that it supplements by displaying pop-ups asking you to pay for the decryptor's key. Since this threat also may delete files periodically or under user-instigated conditions, victims should be careful to disable and remove it quickly to minimize the impact to their PCs. Most anti-malware products should uninstall the BitKangoroo Ransomware without incident, and free methods for unlocking your encrypted content are available.

The Trojan 'Root' that Boxes on a Timer

Con artists envious of the fame and fortunate that other threat actors garnered in the Jigsaw Ransomware campaign appear to be trying out their personal implementation of similar attacks, which use a combination of file encryption and deletion as leverage. While you may identify their new threat, the BitKangoroo Ransomware by its pop-ups and extensions, you also will be on a time limit for saving your files. If the Trojan's incomplete features ever receive patching, any mistakes in an attempt at decryption also could cause further damage.

The BitKangoroo Ransomware's core payload is fully functional, with a basis in an AES-256 encryption routine. Test samples of the threat encrypt only files on the user's desktop, but live release versions are more likely of being reconfigured to attack other areas of your PC's file system, such as the Downloads folder. The Trojan also adds a '.bitkangoroo' (note the persist misspelling) extension to their names.

All of the above is typical for any file-encrypting Trojan whose development still is in progress. However, the BitKangoroo Ransomware also launches a pop-up for its ransom demands that contains more distinguishing characteristics, including:

The BitKangoroo Ransomware, like the Jigsaw Ransomware, starts a countdown that, upon reaching zero, triggers the Trojan's deletion of one of your encrypted files. It will cycle through the ticker until you disable the threat or pay the ransom. Unlike the Jigsaw Ransomware, malware experts see no evidence of the BitKangoroo Ransomware's deleting files during a system reboot.
The Trojan also facilitates Bitcoin-based ransom payments for unlocking your files by including fields for the built-in decryption feature, the threat actor's wallet address, and a link to an e-mail form for negotiating.
One last, thankfully not yet working feature of the BitKangoroo Ransomware claims to be able to delete all encrypted media for users who input the wrong decryption key. This code is unfinished and should have no effect despite the Trojan's additional warning message.

Hitting Back against the Kangaroo that Packs a Wallop

Malware experts took note of the absence of asymmetric, dual-layer encryption in the BitKangoroo Ransomware's payload, which other Trojans often employ to protect their payloads from cracking. As a direct result of this omission, third-party entities in the anti-malware sector are offering free decryption utilities for the BitKangoroo Ransomware. However, a wild version of the BitKangoroo Ransomware may contain updates not present currently, and free decryption solutions aren't a perfect substitute for preserving your files with responsible backup protocols.

Because it was identified early in its campaign, the BitKangoroo Ransomware has yet to have any infection methods under verification. Con artists can distribute threats of this type through browser-based methods, such as exploit kits or spam e-mails, as well as targeted attacks that brute-force systems with bad passwords. Responsible password habits, well-maintained Web-browsing settings, and active anti-malware protection all can help find and remove the BitKangoroo Ransomware without letting its encryption start.

Threats of this type are becoming more prominent than before, and the average PC user is being punished ever more frequently for not knowing the proper response to a compromise of their security. If you think that threatening software like the BitKangoroo Ransomware might be on your computer, reboot into Safe Mode or take other steps as necessary to disable it before doing anything else, including unlocking your encrypted files.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 340.99 KB (340992 bytes)
MD5: 266bdcb30e433d7edee1e3ddf83fffa1
Detection count: 69
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 10, 2017