Computer security experts discovered a new variant of ransomware which called .Promos ransomware. It appends the .promos extension to encrypted file names. This blog post will provide you with all the things you need to know about this ransomware virus, how to remove ransomware from your system and how to decrypt or recover .promos files for free.
The .Promos Ransomware is a malicious software that created in order to encrypt personal files. It hijack a whole PC system or its data and demand a ransom in order to unlock (decrypt) them. The authors of the .Promos Ransomware virus have a strong financial motive to infect as many PC systems as possible. The files that will be encrypted include the following file extensions:
.dazip, .xlgc, .hvpl, .kf, .3dm, .odc, .wgz, .qic, .db0, .txt, .css, .bkp, .m2, .wmv, .dxg, .hplg, .wri, .ntl, .itl, .pem, .cfr, .itm, .psd, .wmo, .ff, .ai, .sum, .2bp, .dmp, .rwl, .mef, .mdf, .odt, .xlsx, .ods, .fsh, .epk, .zdc, .wma, .z3d, .xmind, .wpl, .pef, .raw, .wp4, .wbc, .wbk, .tax, .sidd, .docm, .mdb, .png, .1, .bay, .xdb, wallet, .xbplate, .forge, .iwd, .srw, .cr2, .wp7, .qdf, .apk, .wbm, .yal, .wpb, .ibank, .icxs, .wmf, .hkx, .cas, .wp6, .xlk, .wsc, .sav, .xls, .vpk, .sidn, .x, .desc, .dwg, .m3u, .wp5, .ybk, .erf, .ztmp, .p12, .xf, .xy3, .z, .wps, .snx, .xyw, .mp4, .hkdb, .mdbackup, .wpt, .wb2, .wpe, .w3x, .sql, .mddata, .vdf, .pdd, .1st, .bsa, .avi, .itdb, .sb, .zif, .docx, .zi, .x3f, .rar, .flv, .orf, .gdb, .kdb, .fpk, .ppt, .wotreplay, .zdb, .wbmp, .xlsm, .tor, .xx, .indd, .pdf, .rofl, .wbd, .p7c, .d3dbsp, .bkf, .sis, .sr2, .mlx, .sie, .bik, .vfs0, .wpg, .xml, .xbdoc, .webp, .srf, .x3d, .xll, .zip, .py, .xld, .lbf, .lvl, .wot, .bc6, .ws, .wbz, .m4a, .gho, .asset, .ltx, .mpqge, .iwi, .slm, .wcf, .pfx, .xlsx, .sid, .blob, .arch00, .y, .dbf, .rtf, .t13, .mov, .xls, .map, .upk, .xyp, .rb, .jpeg, .vpp_pc, .wn, .wmd, .wsd, .xlsm, .wpa, .vcf, .js, .wmv, .cer, .wpd, .rw2, .pptm, .wm, .rim, .zw, .dba
When the virus encrypts a file, it will append the .promos file extension to every encrypted file. Once the ransomware finished enciphering of all photos, documents and music, it will create a file named “_readme.txt” with ransom demanding message on how to decrypt all encrypted files. An example of the ransomnote is:
------- ALL YOUR FILES ARE ENCRYPTED ------- Don’t worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-wlvjUfRfvM Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that’s price for you is $490. Please note that you’ll never restore your data without payment. Check your e-mail “Spam” folder if you don’t get answer more than 6 hours. ————————————————— To get this software you need write on our e-mail: firstname.lastname@example.org Reserve e-mail address to contact us: email@example.com Your personal ID:
Follow our instructions below to detect and remove .Promos Ransomware virus from your personal computer as well as restore encrypted photos, documents and music for free.
Table of contents
- How to remove .Promos Ransomware virus
- How to decrypt .promos files
- Use STOPDecrypter to decrypt .promos files
- How to restore .promos files
- How to protect your PC system from .Promos ransomware
How to remove .Promos Ransomware virus
Before you run the process of recovering personal files which has been encrypted, make sure .Promos ransomware virus is not running. Firstly, you need to remove this virus permanently. Happily, there are several malicious software removal tools that will effectively look for and remove .Promos ransomware and other crypto virus malware from your computer.
How to remove .Promos Ransomware with Zemana Anti-malware
We recommend using the Zemana Anti-malware that are completely clean your machine of the ransomware. The tool is an advanced malware removal program designed by (c) Zemana lab. It is able to help you remove potentially unwanted programs, viruses, adware, malware, toolbars, ransomware and other security threats from your PC system for free.
Installing the Zemana Anti-Malware is simple. First you will need to download Zemana Anti Malware by clicking on the link below.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the download is finished, close all windows on your personal computer. Further, run the setup file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as shown in the following example, press the “Yes” button.
It will show the “Setup wizard” that will assist you install Zemana Free on the system. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, Zemana Free will automatically start and you may see its main window as shown in the following example.
Next, click the “Scan” button . Zemana application will scan through the whole machine for the .Promos ransomware virus and other kinds of potential threats such as malicious software and PUPs. A system scan can take anywhere from 5 to 30 minutes, depending on your PC system. While the Zemana Free is checking, you can see number of objects it has identified either as being malware.
After that process is finished, Zemana AntiMalware (ZAM) will show a list of found threats. Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press “Next” button.
The Zemana Free will begin to delete .Promos ransomware virus related files, folders and registry keys. When that process is done, you can be prompted to reboot your computer.
Automatically delete .Promos ransomware virus with MalwareBytes Anti-Malware
We recommend using the MalwareBytes AntiMalware that are fully clean your computer of the ransomware virus. This free tool is an advanced malware removal program created by (c) Malwarebytes lab. This program uses the world’s most popular anti-malware technology. It is able to help you remove ransomware, potentially unwanted applications, malware, adware, toolbars, and other security threats from your computer for free.
Download MalwareBytes Anti-Malware (MBAM) on your MS Windows Desktop by clicking on the link below.
Category: Security tools
Update: April 15, 2020
After downloading is finished, close all windows on your personal computer. Further, launch the file named mb3-setup. If the “User Account Control” prompt pops up as displayed in the following example, click the “Yes” button.
It will display the “Setup wizard” which will help you install MalwareBytes Anti-Malware (MBAM) on the PC. Follow the prompts and do not make any changes to default settings.
Once installation is done successfully, click Finish button. Then MalwareBytes Anti Malware will automatically run and you may see its main window as displayed on the screen below.
Next, press the “Scan Now” button for checking your PC system for the .Promos Ransomware virus related files, folders and registry keys. This procedure can take some time, so please be patient. When a malware, adware or potentially unwanted software are detected, the number of the security threats will change accordingly.
As the scanning ends, MalwareBytes Free will show you the results. Review the report and then press “Quarantine Selected” button.
The MalwareBytes will remove .Promos Ransomware virus and other malicious software and add all security threats to the Quarantine. When finished, you may be prompted to restart your personal computer. We advise you look at the following video, which completely explains the process of using the MalwareBytes Anti-Malware (MBAM) to delete hijacker infections, ad supported software and other malicious software.
Scan your machine and remove .Promos Ransomware virus with KVRT
The KVRT tool is free and easy to use. It can scan and remove ransomware such as the .Promos Ransomware, malicious software, other security threats and thereby revert back system settings. KVRT is powerful enough to find and delete malicious registry entries and files that are hidden on the personal computer.
Download Kaspersky virus removal tool (KVRT) on your PC system by clicking on the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is complete, double-click on the KVRT icon. Once initialization process is finished, you will see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button . KVRT program will scan through the whole personal computer for the .Promos Ransomware virus and other known infections. This task can take some time, so please be patient. During the scan KVRT will find threats present on your machine.
Once finished, KVRT will display a scan report like below.
Make sure all items have ‘checkmark’ and press on Continue to start a cleaning process.
How to decrypt .promos files
The ransom demanding message encourages victim to contact .Promos Ransomware’s developers via firstname.lastname@example.org or email@example.com emails in order to decrypt .promos files. These persons will require to pay a ransom (usually demand for $490-$980 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the developers of the .Promos ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
Use STOPDecrypter to decrypt .promos files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower. .promos).
Please check the twitter post for more info.
How to restore .promos files
In some cases, you can recover files encrypted by .Promos ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Use ShadowExplorer to restore .promos files
A free utility named ShadowExplorer is a simple method to use the ‘Previous Versions’ feature of Windows 10 (8, 7 , Vista). You can recover .promos files encrypted by the .Promos ransomware virus from Shadow Copies for free.
Download ShadowExplorer on your Windows Desktop by clicking on the link below.
Category: Security tools
Update: September 15, 2019
When downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed below.
Start the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the .Promos Ransomware virus as displayed on the screen below.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button as shown on the image below.
Run PhotoRec to restore .promos files
Before a file is encrypted, the .Promos Ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover software like PhotoRec.
Download PhotoRec on your computer by clicking on the following link.
Category: Security tools
Update: March 1, 2018
When the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen like below.
Select a drive to recover as shown in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music like below.
Click File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to select where restored files should be written, then click Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, press on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as displayed on the screen below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC system from .Promos ransomware
Most antivirus programs already have built-in protection system against the virus. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your PC system from .Promos ransomware
Download CryptoPrevent on your MS Windows Desktop by clicking on the following link.
Run it and follow the setup wizard. Once the installation is finished, you’ll be displayed a window where you can select a level of protection, as shown on the image below.
Now click the Apply button to activate the protection.
Once you have finished the step-by-step guide outlined above, your PC system should be clean from .Promos Ransomware virus and other malware. Your PC system will no longer encrypt your documents, photos and music. Unfortunately, if the steps does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help here.