We have recently discussed ransomware getting alarmingly sophisticated, with cybercriminals upping their game to extort more money from their victims. And again, this has been affirmed with another type of ransomware that locks users out from their computer, making it unusable to convince them to finally pay up.
In a report by Bleeping Computer, the Kangaroo ransomware stands out from the common crypto-malware variants by utilizing a fake legal notice, which is displayed right before a user logs in to their computer, similar to the DXXD ransomware. To make things worse, the malware prevents the victim from using Task Manager, as well as disabling Explorer.exe, which is responsible for displaying the Windows UI.
The ransomware is not spread through usual methods like malicious downloaded files, or compromised websites. Instead, a hacker has to manually get into a victim's computer using Remote Desktop. Once they have executed the Kangaroo ransomware, a window will be shown, displaying the victim's unique ID and the encryption key.
After this, the ransomware will begin to encrypt files, and will append the .crypted_file extension to an encrypted file's name. When finished, it will display a lock screen, stating that there is a critical problem with the computer, and that the victim's data has been encrypted. It also displays instructions on how they can pay up to the perpetrators.
It doesn't stop there either-- as mentioned earlier, it will also display the similar note whenever the victim boots up their computer, and disables certain features to further convince them to hand out their money.
Unfortunately, there is no known method to decrypt the files. However, Bleeping Computer has found a way to disable the lock screen on boot. Victims can boot into Safe Mode and disable the startup item that is purging the malware. You can read more on how to do this here.
While following this method will finally help you boot into the system completely, again, it does not help with decryption of the affected files.
At this point, as we always say, it always helps to be wary of what we do on the internet, as these malicious software could just pop up out of nowhere, and compromise a lot of our personal and financial data.
Source and Images: Bleeping Computer