Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

BitKangoroo Ransomware Deletes User Files

A piece of ransomware currently in development is deleting users’ files if the ransom isn’t paid within a given period of time.

A piece of ransomware currently in development is deleting users’ files if the ransom isn’t paid within a given period of time.

Dubbed BitKangoroo, the malware doesn’t appear to be the work of a skilled developer and can encrypt only files located in the Desktop folder at the moment, but could become a highly destructive threat because of code that erases users’ data.

Once a computer has been infected, the malware starts encrypting user’s files using AES-256 encryption, and appends the .bitkangoroo extension to each of the affected files. Once the process has been completed, the ransomware displays a window informing the victim that their files have been encrypted and that a 1 Bitcoin ransom should be paid to decrypt them.

The note warns that one file will be deleted every hour until the ransom has been paid, and also displays a countdown. When deleting the encrypted file, the malware also resets the timer to 60 minutes, BleepingComputer’s Lawrence Abrams reveals.

BitKangoroo isn’t the first ransomware family out there to delete user’s files if a payment wasn’t made, but previous threats did allow for a longer period of time before proceeding to such action, which would make more sense, considering that it could take days before being able to buy Bitcoin.

The good news is that security researcher Michael Gillespie has already managed to crack the malware’s encryption and has released a free decryption tool, called BitKangarooDecrypter.

Analysis of the malware also revealed code capable of deleting all of the encrypted files if the victim enters the wrong decryption key (a warning message is displayed when the user clicks on the Decrypt my files button). Fortunately, the code isn’t working and the ransomware can’t delete user’s files.

The BitKangoroo ransomware also provides the victim with a Bitcoin address they should send the ransom payment to, as well as the possibility to contact the malware author directly, via email. At the moment, the [email protected] address is used.

Related: Nasty VirLocker Ransomware Returns

Related: Destructive KillDisk Malware Turns Into Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.