News Brief: BitKangoroo Ransomware Deletes Your Files If You Do not Pay

KNOWLEDGE BELONGS TO THE WORLD
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

I am trying something new where I will post in brief articles about new ransomware as they are released. Many of these ransomware infections do not warrant a full article, but I feel its important to quickly get the word out about new techniques or variants as we discover them.

In our first ransomware in brief article, we are taking a look at a new in-development ransomware called BitKangoroo that I discovered today. Yes, I know, skidz can’t spell. This particular ransomware is developed by a real scumbag who intends to delete a victims files if they do not pay fast enough.

In summary, this ransomware will encrypt a victim’s files using AES-256 encryption and append the .bitkangoroo extension to encrypted files. It will then display a 60 minute countdown that when reached will cause the ransomware to delete one encrypted file. Once it deletes a file, it will reset the timer back to 60 minutes.  Most importantly, this ransomware can be decrypted for free using Michael Gillespie’s BitKangarooDecrypter.

You can see the lock screen for BitKangoroo below.

BitKangoroo Ransom Screen

As this ransomware is currently in-development, the ransomware only encrypts files on the Desktop. It also contains non-working code that will cause ALL of the encrypted files to be deleted if the victim enters the wrong decryption key. You can see the warning message below that is displayed when you click on the Decrypt my files button.

File Deletion Warning

Here is the code that deletes all of the encrypted files:

Erasing Files
Erasing Files

Finally, the ransomware screen contains a label that when clicked on opens a form to email the ransomware developer. The current email being used is bitkangoroo@mailinator.com and you can see an example of the email below.

Email to Ransomware Dev

If the status of this ransomware changes, I will update the article.

If you find these brief writeups useful, please let me know so I can decide if I should continue doing them.

IOCS:

Hashes:

SHA256: 810f9bff502d2c9a98164201590eed5ff2cc96cd42a5d6008af93ecfc8bf9c13

Associated Files:

%UserProfile%\AppData\Roaming\IEAgent.exe

Associated Emails:

bitkangoroo@mailinator.com

Source:https://www.bleepingcomputer.com/news/security/news-brief-bitkangoroo-ransomware-deletes-your-files-if-you-do-not-pay/

KNOWLEDGE BELONGS TO THE WORLD
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this