May 09, 2017

I am trying something new where I will post in brief articles about new ransomware as they are released. Many of these ransomware infections do not warrant a full article, but I feel its important to quickly get the word out about new techniques or variants as we discover them.

In our first ransomware in brief article, we are taking a look at a new in-development ransomware called BitKangoroo that I discovered today. Yes, I know, skidz can't spell. This particular ransomware is developed by a real scumbag who intends to delete a victims files if they do not pay fast enough.

In summary, this ransomware will encrypt a victim's files using AES-256 encryption and append the .bitkangoroo extension to encrypted files. It will then display a 60 minute countdown that when reached will cause the ransomware to delete one encrypted file. Once it deletes a file, it will reset the timer back to 60 minutes. Most importantly, this ransomware can be decrypted for free using Michael Gillespie's BitKangarooDecrypter.

You can see the lock screen for BitKangoroo below.

                                                                              BitKangoroo Ransom Screen

As this ransomware is currently in-development, the ransomware only encrypts files on the Desktop. It also contains non-working code that will cause ALL of the encrypted files to be deleted if the victim enters the wrong decryption key. You can see the warning message below that is displayed when you click on the Decrypt my files button.
                                                                                              File Deletion Warning 

Here is the code that deletes all of the encrypted files:

                                                                                                     Erasing Files

Finally, the ransomware screen contains a label that when clicked on opens a form to email the ransomware developer. The current email being used is This email address is being protected from spambots. You need JavaScript enabled to view it. and you can see an example of the email below.

                                                                             Email to Ransomware Dev

If the status of this ransomware changes, I will update the article. If you find these brief writeups useful, please let me know so I can decide if I should continue doing them. 

IOCS:
Hashes:
Associated Files:
Associated Emails:
News Courtesy : https://www.bleepingcomputer.com/news/security/news-brief-bitkangoroo-ransomware-deletes-your-files-if-you-do-not-pay/