Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kangaroo Ransomware


  • This topic is locked This topic is locked
7 replies to this topic

#1 Jakob-1990

Jakob-1990

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 12 November 2016 - 07:34 AM

my files were crypted by kangaroo on 03.11.2016

the files are renamed in ... ".crypted_file"

 

we contacted them.

 

paid 2 BTC and receive a working key to unlock the screen.

and a download link for a decrypter Software:

 

 
for the activation key, they want  5 BTC more
 
the activation key dont work and the software searched for ".crypted" instead of ".crypted_file"
 
 
we waited for days ... then they come with a new decrypter
this one now find the right files ".crypted_file"   ... WOW
 
But they want more BTC for the activation key.
 
I have talked to other victims ... that paid once more and get a none working key.
 
SO DONT PAY. YOU WILL GET NOTHING TO DECRYPT YOUR FILES
 
 
 


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:50 PM

Posted 12 November 2016 - 03:48 PM

I'm not familiar with Kangaroo ransomware.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png


Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.

These are some common folder variable locations malicious executables and .dlls hide:
%SystemDrive%\ (C:\)
%SystemRoot%\ (C:\Windows, %WinDir%\)
%Temp%\
%AllUserProfile%\
%UserProfile%\
%AppData%\
%LocalAppData%\
%ProgramData%\

After our experts examine the files, they will post in this topic if they can assist or need further information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:04:50 PM

Posted 12 November 2016 - 04:10 PM

Some less than reliable sites claim it is an Apocalypse variant.


We are drowning in information - and starving for wisdom.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:50 PM

Posted 12 November 2016 - 04:15 PM


Yea and some of those "scammy" sites already have so-called removal guides posted.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 12 November 2016 - 05:04 PM

Yes, Kangaroo and Esmeralda are the newest Apocalypse variants, see also https://twitter.com/JAMESWT_MHT/status/794463104159588353
However, I was not of the impression that Jakob-1990 wants our help to decrypt files, but just wanted to warn people so they do not pay.

@Jakob-1990: Thanks for telling your story. I hope some people will refrain from paying after reading this. Criminals are not the kind of people anyone can trust.

Edited by Struppigel, 12 November 2016 - 05:07 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:50 PM

Posted 12 November 2016 - 09:27 PM

For anyone else finding their way to this topic, there is an ongoing discussion in the below link where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Jakob-1990

Jakob-1990
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 13 November 2016 - 03:38 AM

@quietman7

i will send some samples to ID Ransomeware

 

 

@Struppigel

yes, my first intension is to warn people not to pay

 

But if somebody can help me and other victims to decrypt there files, i would be happy.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:50 PM

Posted 13 November 2016 - 07:53 AM

Fabian Wosar has released a decrypter for older variants of this infection. However, the cyber-criminals have fixed flaws and updated their malware so newer variants of this ransomware may not be decryptable.

He most likely would need a sample of the malware itself to analyze before anyone can ascertain if the encrypted files can even be decrypted.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users