Kangaroo Ransomware Removal Guide

Kangaroo Ransomware is a dangerous computer infection that makes it really hard to restore your affected files. Although it is possible to stop this ransomware program from encrypting target files, users seldom realize the danger until it is too late to do anything about it. In this description, we will discuss the main features of this malicious infection, and then we go through the emergency measures that should help you remove Kangaroo Ransomware and get your files back. Nevertheless, you should keep in mind that it might be impossible to retrieve your files if you do not have any system backup, so you have to be emotionally ready for that.

As far as its origins are concerned, Kangaroo Ransomware is another version of Apocalypse ransomware. Our research shows that it is similar to Esmeralda Ransomware that uses the AES encryption and currently has no public decryption tool that would allow users to decrypt the affected files. The same applies to Kangaroo Ransomware as well. What’s more, this infection also deletes the Shadow copies of your files. Although average computer users would not be able to use Shadow copies, a technician would help you restore your data from them. However, the infection cuts off that opportunity by deleting them for good. This way, the ransomware programs makes sure that the user would be compelled to purchase the decryption tool from it.

Usually, ransomware programs spread via spam email messages, but applications from this group tend to make use of the Remote Desktop Connection to travel around. It also means that the infection is direct. In other words, the hacker connects to your computer and drops the infection file on your system directly. Also, the research shows that the program does not get installed on the target computer until the user clicks the “Copy and continue” button. Once you do that, Kangaroo Ransomware enters your system and unleashes the payload.

Upon the installation, the infection creates a copy of itself in the %PROGRAMFILES% or %PROGRAMFILES(x86)% directories. The file is called explorer.exe, so you can see that it tries to pose as a legitimate system file. When the infection is launched, it scans your system and encrypts all files with these extensions: .dat, .bat, .bin, .encrypted, .ini, .tmp, .lnk, .com, .msi, .sys, .dll, and .exe. Only system files in the Windows folder are not affected by the infection because the ransomware needs your PC to function properly. Otherwise, it would not be able to receive the ransom transfer from you.

As far as your files are concerned, you need to restore them from a system backup once you remove Kangaroo Ransomware from the PC. It may be an external HDD or some cloud drive, but the point is that users often have copies of their files saved someplace else, they are just not aware of that.

The manual ransomware removal might seem a little bit daunting, but it is not as complicated as you think. Of course, after you delete Kangaroo Ransomware, you should run a full system scan with a reliable antispyware tool because there might be more dangerous files on your PC, and you have to terminate them all.

How to Remove Kangaroo Ransomware

1. Go to your Downloads folder.
2. Delete all the recently downloaded files.
3. Press Win+R and type %PROGRAMFILES%\Windows NT. Click OK.
4. Delete the explorer.exe file. Press Win+R again.
5. Type %PROGRAMFILES(x86)%\Windows NT into the Open box. Click OK.
6. Delete the explorer.exe file and press Win+R.
7. Enter regedit into the Open box and click OK.
8. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
9. On the right pane, right-click the Windows Explorer value that has the C:\Program Files (x86)\Windows NT\explorer.exe value data. Delete it.
10. Right-click the Windows Explorer value with the C:\Program Files\Windows NT\explorer.exe value data. Delete it.
11. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
12. On the right pane, delete the LegalNoticeText value.
13. Exit Registry Editor and scan your PC with a licensed antispyware tool.

If you cannot perform the manual removal or the instructions do not work for you, please let us know by leaving a comment below.