Kangaroo ransomware / virus (Removal Instructions) - Jan 2020 update

Kangaroo virus Removal Guide

What is Kangaroo ransomware virus?

Kangaroo ransomware is malware that shows up as the Windows Explorer process

Kangaroo malwareKangaroo ransomware - malware that urges contacting the criminals via email address

Kangaroo ransomware is a notorious malware strain released by the same developer who created Apocalypse ransomware, Esmeralda, and Fabiansomware. By using symmetric or asymmetric encryption, this malware locks up all files and documents found on the Windows computer system. Afterward, the .missing appendix is added to each filename of the encrypted components. Discovered by a cybersecurity researcher named S!Ri,[1] this ransomware virus displays the (filename).Contact_Data_Recovery.txt ransom message that holds the dataforward@bk.ru email address where the victims are supposed to write in order to discuss all the terms and conditions of data recovery.

Kangaroo virus shows up as the Windows Explorer process in the Task Manager. This file has been spotted by 43 AV programs out of the total 71. According to VirusTotal,[2] the malware has been detected as Gen:Variant.Mikey.75690, Win32:Malware-gen, Trojan.TR/Crypt.XPACK.Gen2, TR/Crypt.XPACK.Gen2, Trojan-Ransom.Win32.Kangar.a, etc.

Name Kangaroo ransomware
Category Ransomware/malware
Related to Apocalypse ransomware, Esmeralda, and Fabiansomware
Danger level Very high. This cyber threat encrypts all files and documents that are found on the infected Windows computer and disables users from properly accessing these components. Also, the ransomware increases the risk of additional malware infections
Extension Once all the files are locked with a symmetric or asymmetric key, the .missing appendix is added to each filename
Ransom note The ransomware displays the (filename).Contact_Data_Recover.txt ransom message that urges making contact via the dataforward@bk.ru email address
Discoverer A cybersecurity researcher named S!Ri was the first one who announced about the appearance of this ransomware virus
Process Kangaroo virus appears as the Windows Explorer process in the Task Manager section. This file has been detected as malicious by 43 AV engines
Older version The older variant of Kangaroo ransomware used to add the .crypted_file appendix to each file name, display the (filename.)Instructions_Data_Recovery.txt ransom note and create a lock screen on the Windows computer system
Spreading Ransomware viruses are known to be spread via unsecured RDP configuration that is easily hackable by malicious actors. Also, the cybercriminals drop their malicious payload via email spam and their malicious attachments
Removal tip If you have been dealing with any version of this ransomware virus, you should get rid of it as soon as possible. If the malware is preventing you from accessing your Windows computer system, go to the end of this page and learn how to boot the machine in Safe Mode with Networking. Afterward, employ a reliable antimalware program that is capable of getting rid of such cyber threat
Fixing tool If you have scanned your system with a reliable tool and the program has found some damage on it, you can try fixing the corrupted areas and objects with software such as FortectIntego

Kangaroo ransomware does not provide any particular information on the demanded ransom price in the ransom note as all of the further details should be given after contacting the developers via email. However, the ransom price can vary anywhere from fifty dollars to thousands. Take a look at the entire ransom note in order to be able to recognize it:

All your data has been encrypted.

Contact by Email for data recovery.

Email : dataforward@bk.ru
Your ID : SD8AB642DUS


WARNING: If you don't contact in 72 hours, contact from a different email provider


However, Kangaroo ransomware is likely to ask for a ransom transfer in Bitcoin and the malicious actors might provide you with a Bitcoin wallet address via email. Cryptocurrency payments are very popular between developers as they allow the entire process to remain secret and anonymous.

Continuously, Kangaroo ransomware can modify the Windows Registry and Task Manager sections after successful infiltration into the computer system. The malware might be able to execute itself whenever the Windows machine is booted. Also, it can insert a function that allows scanning the entire system for encryptable files in certain time periods.

Kangaroo virusKangaroo virus - ransomware that gets delivered via hacked RDP or phishing email messages and their malicious attachments

In addition, Kangaroo ransomware can delete the Shadow Volume Copies of encrypted files by running specific PowerShell commands. This way the malware developers decrease the victims' chances of recovering locked data by employing other software. However, you still should not rush to pay the demanded ransom price as there is a big risk of getting scammed.

Kangaroo ransomware virus might not come alone to your computer system. You should be aware that such infections make the infected machine vulnerable to other parasites. As a result, you can end up with a Trojan virus on your computer that can result in the loss of valuable data, monetary thefts, damage to software and computer system.

Kangaroo ransomware removal should help you to solve the problem related to the risk of additional malware infections. The sooner you remove the virus, the better it will be for your computer system. For this process, you should employ only reliable antimalware software, otherwise, the task might be very hard to handle.

When you remove Kangaroo ransomware from your Windows computer, you should search for possible damage. If you find any corrupted areas, try repairing them with software such as FortectIntego. Continuously, go to the end of this article where you will find data recovery methods some of which might appear to be helpful for you.

Kangaroo ransomwareKangaroo ransomware is a dangerous malware form that comes as the WIndows Explorer process which has been detected as malicious by 43 AV engines

The first Kangaroo ransomware version includes an advanced operation module

This virtual parasite aims to have a bit more complex module than others of its kind. Once the malware accesses the operating system via hacked RDP and appears on the machine, it displays a lock screen that prevents numerous users from using their computers until they transfer the demanded price or eliminate the cyber threat.[3] Kangaroo ransomware virus is able to complete such a task by disabling Explorer processes and deactivating the Windows Task Manager.

Kangaroo ransomware virus mimics a legal notice and displays it as a ransom note before the infected users aim to log in to their computer systems. This way the cybercriminals are assured that the victims will spot the message before taking any further actions. In order to succeed in this process, the malware adds the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “LegalNoticeText” registry key. Afterward, the ransomware virus initiates the encryption process by using the AES key to lock up all files and documents that are found on the infected device.

Kangaroo virus adds the .crypted_file appendix to each filename of the encrypted components. Afterward, the malware displays the ransom note named (filename).Instructions_Data_Recovery.txt. Continuously, the parasite adds a lock screen that displays a fake warning about a critical system problem and data encryption where the kangarooencryption@mail.ru cybercriminals' contact email is added as a way to perform communication between the crooks and the victims.

Kangaroo ransomware virusKangaroo ransomware virus has an older version that used to create a lock screen and display the ransom note before the user could take any further actions

Ransomware infections are distributed via hacked RDPs and email spam

According to NoVirus.uk specialists,[4] a lot of ransomware versions are downloaded directly to your computer via Remote Desktop applications. Once cybercriminals hack the system, they locate your IP identification and encryption codes. Likewise, they infiltrate the system. Later on, the malware initiates the encryption process.

Mostly, the hackers search for RDPs that include weak protection or none at all. So, it is very important that you secure your RDP with a strong and complex password that includes letters, numbers, and symbols. This way you decrease the chances of getting your RDP hacked by malicious actors.

Continuously, another popular method through which ransomware infections are delivered is known to be email spam. By using this technique, the cybercriminals drop legitimate-looking email messages to random users and attach the infectious payload to the email message itself in the form of an executable, PDF or word document.

The crooks often pretend to be from some reliable companies, healthcare, banking, shipping firms. If you ever receive an email message that you were not waiting for, you should not rush to open it as there might be malicious content planted inside it (in a form of a hyperlink) or attached to it. Scan all the attached files with an antimalware product before opening them just to make sure that they are not infected with malware.

Efficient Kangaroo elimination guide

To remove Kangaroo from the system, you have to employ strong and professional anti-malware software. If your computer is protected with free or weak antivirus software, it would not be able to wipe out the malware. Ransomware viruses are more complex cyber threats that might drop malicious components all over the computer system and fill locations such as the Task Manager and Windows Registry with malware-laden tasks and entries that also need to be deleted.

Note that if you are having a hard time with the Kangaroo removal process, you should boot up the computer in Safe Mode with Networking or use System Restore as shown in the instructions below. When you access one of these settings, you can continue with the elimination process properly. However, keep in mind that if you are interested in engaging with the malware removal manually, this type of technique might not work as you might skip crucial malicious components.

Keep in mind that any antivirus program cannot recover encrypted files. When you uninstall Kangaroo ransomware from your Windows computer system, you can restore your files from backups or use additional data recovery methods that are presented below. Also, if you want to search for possible system damage, employ products such as SpyHunter 5Combo Cleaner and Malwarebytes. Then, use another repair tool such as FortectIntego to fix any corrupted objects on your computer system.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Kangaroo virus. Follow these steps

Manual removal using Safe Mode

Activate Safe Mode with Networking on your Windows computer to diminish all malicious changes that were brought by the ransomware virus. If you need some help with this method, try the following guidelines.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Kangaroo using System Restore

Sometimes, you might have trouble with the ransomware removal process due to the malicious tasks that have been planted on your Windows system. To disable the infection properly, use the below-provided instructing steps and boot your machine via System Restore.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Kangaroo. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Kangaroo removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Kangaroo from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Encrypted files might scare you at first as you are not able to access them properly anymore. Regarding this fact, you might be in a rush to pay the demanded ransom price. However, we recommend overthinking everything twice before initiating any actions. Do not risk to get scammed by the cybercriminals and try some of the following data recovery methods that might appear helpful to you.

If your files are encrypted by Kangaroo, you can use several methods to restore them:

Retrieve files using Data Recovery Pro.

Follow the instructions below and use the Data Recovery Pro tool to decrypt your files. It might not restore all of your files, but some of them will be rescued which is definitely better than losing all of them.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Kangaroo ransomware;
  • Restore them.

Try recovering files by using Windows Previous Versions feature.

If you had enabled the System Restore function before Kangaroo virus attacked your PC, you can use this data recovery method. If this function has not been enabled on your computer, this technique would not work for you.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try rescuing some of your files by using ShadowExplorer.

If the malware has not permanently damaged or deleted your files' Shadow Volume Copies, you can definitely give this tool a try as you might have a chance of recovering some of your data.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Currently, there is no official decryptor available for Kangaroo ransomware.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Kangaroo and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions