BitKangoroo Ransomware - How To Remove?


Elementary BitKangoroo crypto-virus was discovered yesterday and security researchers have already designed a free decrypter for it. There is no need to pay 1 BTC (approximately 1699.33 US Dollars) to 18aRr8X8TEum1cLcCZLRZw7HJTdboSawTw bitcoin wallet. The data-encoding process is completed with the AES-256 cipher but ransomware was not programmed well enough. On the other hand, this variant could still currently be in development and the detected sample could have only been a test-run. This specific ransomware has a feature of a lock-screen which will provide primary information about the infection. One of the nasty traits of this ransomware is that it won’t wait around until victims will decide that paying the ransom is the only salvation. Hackers time users and if they take too long to make a transaction, all files are deleted.

Main traits of BitKangoroo ransomware

Rogue version of IEAgent.exe stands as the payload of this ransomware. It will presumably be placed in AppData directory and from this position, it will start inflicting specific changes in the operating system. Once Windows Registry Keys become adjusted to running the harmful application after every time a device is relaunched, the malicious process could be spotted in Windows Task Manager. According to security researchers, IEAgent.exe file is not an essential part of Windows and frequently, this process indicates an infection.

BitKangoroo ransomware virus

What is curious about BitKangoroo virus is that it gives a very limited amount of time for victims to have a chance of properly considering their options. Of course, this feature might have been done for the sake of hoping that people will act hurriedly and won’t learn about methods of free file decryption. Firstly, 60 minutes are provided as the first chance to make a transaction. If hackers do not receive an email, verifying that a fee has been sent, 1 file will be deleted as a threat. Then, another set of 60 minutes starts running. After this time runs out, the punishment will be more cruel: all encrypted data, appended with .bitkangoroo will be deleted.

BitKangoroo virus

What is more, users only have a single attempt to restore their files by typing in the correct code for decryption. If this combination turns out to be wrong, the infection indicates to exterminate all encoded files. However, currently, this feature is not completed. If victims choose to pay, they are expected to contact crooks via email address. There is no need to do so as you can decrypt files, using the free software for decryption. Download it here.

Tips to secure your files from encryption

For future reference, we also provide the most helpful recommendations for the task of securing files from encoding. You should always store your files in backup storages. If in case samples from the first location get corrupted, you will have a chance to retrieve them for another one. In some cases, people also like to place their files in USB flash drives which can also serve as alternatives to online backup services. These options are very easily achievable and convenient at the same time. Please consider them.

Ways to transmit ransomware payloads

Samples of ransomware are usually distributed via malicious spam campaigns, exploit kits or social networking sites. In the latter domains, deceptive files, links to fake articles could be the source of a crypto-virus. In case you have been tagged in a post with a link to allegedly shocking website, do not follow it blindly. Additionally, pornographic material is occasionally included into rogue posts that distribute Trojans. Furthermore, if your email inbox receives a letter from an unknown source, you also should not be hasty when it comes to opening or reacting to it. Malicious attachments like .doc files could contain hidden macros.

How to recover BitKangoroo ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before BitKangoroo virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of BitKangoroo ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to BitKangoroo virus. You can check other tools here.

Step 3. Restore BitKangoroo ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually BitKangoroo virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover BitKangoroo ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.


About the author

 - Main Editor
I have started in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
May 9, 2017 01:05, June 30, 2017 09:19

Leave a Reply

Your email address will not be published. Required fields are marked *