Don’t Get Locked Out of Windows!

The Kangaroo Ransomware not only Encrypts your Data but tries to Lock you out of Windows

The Kangaroo ransomware is the latest ransomware from the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda. What makes this version stand out a bit more is the use of a legal notice as a ransom note that is displayed to all victims before they login to their computer. This makes it so a victim has to view the ransom note before they are able to login to Windows.

Also, due to the ransomware terminating the Explorer processes when started and preventing the launching of Task Manager, it essentially locks a user out of Windows until they pay the ransom or remove the infection. Though the screenlocker can be disabled in Safe Mode or by pressing the ALT+F4 keyboard combination, for many casual computer users this would essentially prevent them from using their computer.

Kangaroo is installed manually by Hacking into RDP

Unlike most other ransomware infections, this family is not spread through exploit kits, cracks, compromised sites, or Trojans, but instead by the developer manually hacking into computers using Remote Desktop. When the dev hacks into a computer and executes the ransomware, a screen will be shown that contains the victim’s unique ID and their encryption key.


When the developer clicks on Copy and Continue, the information will be copied into the Windows clipboard so that developer can save it. The ransomware will then begin to encrypt the computer’s files and will append the .crypted_file extension to an encrypted file’s name. This ransomware also performs the strange practice of creating an individual ransom note for every file that is encrypted. These ransom notes will be in the format of filename.Instructions_Data_Recovery.txt.

When finished Kangaroo will display a lock screen that displays a fake screen implying that there is a critical problem with the computer and that the data was encrypted. It then provides instructions on how to contact the developer at to restore the data.


This ransomware will also configure the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “LegalNoticeText” registry value so that it shows a legal notice that a user must read before they are shown the Windows login prompt. This guarantees that a victim, or a computer’s administrator, will see the ransom note the next time they login.


While at this time, there is no way to decrypt the encrypted files for free, it is possible to remove the screenlocker portion so that victims can use their computer again. For those who need help with this, I provide instructions in the next section.

Kangaroo encrypted files cannot be decrypted for free.

Unfortunately, files encrypted by the Kangaroo ransomware cannot be decrypted for free.

The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Kangaroo does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.



Originally Alameda Typewriter, ABM COMPUTERS has served the entire San Francisco Bay Area with professional, first-rate IT support and computer sales from the same location since 1939. Building on decades of experience, along with a dedicated team, we continue to provide in-shop and on-site standout, services and comprehensive, affordable solutions for all your computing needs.

Posted on November 29, 2016, in Computer Advice. Bookmark the permalink. Leave a comment.

Comments are closed.

%d bloggers like this: