A new variant of ransomware virus has been discovered by cyber threat analysts. It appends .promoz file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails and malware. This post will provide you with all the things you need to know about ransomware, how to remove ransomware from your PC and how to decrypt or recover .promoz files for free.
The .Promoz Ransomware is a malicious software which created in order to encrypt files. It hijack a whole personal computer or its data and demand a ransom in order to unlock (decrypt) them. The developers of the .Promoz ransomware have a strong financial motive to infect as many PCs as possible. The files that will be encrypted include the following file extensions:
.rw2, .zip, .sidd, .zdb, .wmv, .sis, .xlsx, .wpt, .yml, .rb, .yal, .csv, .map, .snx, .xbplate, .lvl, .wri, .xld, .indd, .doc, .kdc, .mef, .fos, .sidn, .asset, .gdb, .2bp, .mcmeta, .crt, .dwg, .ztmp, .wbm, .ibank, .ntl, .odb, .desc, .fsh, .ai, .z3d, .wbc, .wav, .pdd, .wpd, .1, .hkx, .dbf, .iwd, .xlsm, .lrf, .ods, .xlsm, .pef, .w3x, .bik, .raw, .forge, .7z, .xar, .rofl, .y, .rim, .vpk, .blob, .sum, .srf, .raf, .wbk, .css, .kdb, .xmind, .wbd, .m4a, .zi, .wdp, .zip, .xlsb, .wire, .arch00, .cr2, .wp7, .upk, .sb, .re4, .wbz, .jpg, .psd, .wp, .wmd, .wps, .bkf, .itm, .dcr, .dng, .vtf, .wpa, .layout, .slm, .pfx, .t13, .flv, .esm, .crw, .x3f, .1st, .das, .ff, .rgss3a, .syncdb, .wpd, .ltx, .eps, .wma, .xwp, .js, .der, .xls, .x3f, .ncf, .p7c, .pptx, .odt, .psk, .pkpass, .dazip, .ppt, .dxg, .wp4, .z, .xll, .sav, .xdl, .ysp, .xyp, .vcf, .db0, .ws, .zdc, .mdb, .nrw, .vfs0, .x, .mpqge, .srw, .bc7, .xls, .kf, .sid, .xyw, .orf, .mlx, .mddata, .svg, .wpw, .zabw, .arw, .pem, .wps, .txt, .xf, .sql, .bsa, .3dm, .x3d, .mrwref, .png, .tor, .bay, .wsd, .webp, .wmv, .dmp, .bar, .itl, .rtf, .xlsx, .ybk, .wmo, .odm, .xmmap, .xdb, .wdb, .cer, .wsc, .zif, .hplg, .wpg, .odp, .hkdb, .wotreplay, .xxx, .lbf, .icxs, .wsh, .wot, .litemod, .accdb, .cfr, .odc, .itdb, .wp5, .xpm, .d3dbsp, .mov, .menu, wallet, .xlk, .ptx, .big, .jpeg, .wb2, .gho, .dba
Once the encryption procedure is done, it will drop a ransom note called “_readme.txt” offering decrypt all users files if a payment is made. You can see an one of the variants of the ransom instructions below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-ll0rIToOhf Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: email@example.com Reserve e-mail address to contact us: firstname.lastname@example.org Your personal ID:
If your documents, photos and music have been locked by the .Promoz ransomware, We suggests: do not pay the ransom! Free tools listed below can be used to scan for and remove this ransomware virus and prevent any further damage. After that you have a chance to recover (decrypt) encrypted files for free.
Table of contents
- How to remove .Promoz ransomware
- How to decrypt .promoz files
- Use STOPDecrypter to decrypt .promoz files
- How to restore .promoz files
- How to protect your computer from .Promoz ransomware
How to remove .Promoz ransomware
The following instructions will help you to delete .Promoz ransomware virus and other malicious software. Before doing it, you need to know that starting to remove ransomware, you may block the ability to decrypt photos, documents and music by paying developers of the virus requested ransom. Zemana Anti-malware, KVRT and Malwarebytes Anti-malware can detect different types of active ransomware infections and easily remove it from your personal computer, but they can not restore encrypted photos, documents and music.
Use Zemana Anti-malware to remove .Promoz ransomware
Zemana Anti-malware highly recommended, because it can search for security threats such as ransomware, trojans, worms and other malware that most ‘classic’ antivirus software fail to pick up on. Moreover, if you have any .Promoz Ransomware removal problems which cannot be fixed by this tool automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Now you can setup and run Zemana Free to remove .Promoz Ransomware from your computer by following the steps below:
Please go to the following link to download Zemana AntiMalware installer named Zemana.AntiMalware.Setup on your personal computer. Save it to your Desktop so that you can access the file easily.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Launch the installation package after it has been downloaded successfully and then follow the prompts to set up this utility on your computer.
During install you can change certain settings, but we recommend you do not make any changes to default settings.
When setup is complete, this malicious software removal utility will automatically start and update itself. You will see its main window as shown on the image below.
Now press the “Scan” button to start scanning your machine for the .Promoz ransomware and other malicious software. While the Zemana application is checking, you may see how many objects it has identified as threat.
After that process is finished, Zemana Anti-Malware will show a list of detected threats. Make sure all items have ‘checkmark’ and press “Next” button.
The Zemana AntiMalware (ZAM) will remove .Promoz ransomware related files, folders and registry keys. Once disinfection is complete, you may be prompted to restart your personal computer to make the change take effect.
Use MalwareBytes to delete .Promoz Ransomware
Manual .Promoz Ransomware virus removal requires some computer skills. Some files and registry entries that created by the ransomware virus can be not fully removed. We advise that run the MalwareBytes AntiMalware (MBAM) that are fully clean your machine of ransomware. Moreover, this free application will help you to delete malicious software, PUPs, adware and toolbars that your PC can be infected too.
- Download MalwareBytes Free from the following link. Save it on your Windows desktop.
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your internet browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- Once the download is complete, please close all apps and open windows on your personal computer. Double-click on the icon that’s called mb3-setup.
- This will open the “Setup wizard” of MalwareBytes onto your machine. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Free will start and show the main window.
- Further, click the “Scan Now” button to start checking your PC system for the .Promoz ransomware virus and other kinds of security threats. This task can take quite a while, so please be patient.
- When the scan is done, MalwareBytes will open a screen that contains a list of malicious software that has been found.
- Make sure all items have ‘checkmark’ and click the “Quarantine Selected” button. After disinfection is done, you may be prompted to reboot the machine.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Double-check for .Promoz ransomware virus with KVRT
KVRT is a free portable program that scans your system for malware and ransomware viruses like the .Promoz Ransomware and helps get rid of them easily. Moreover, it’ll also help you get rid of any harmful web browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) from the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as displayed on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to find .Promoz Ransomware virus and other trojans and malicious applications. While the utility is checking, you can see how many objects and files has already scanned.
After the system scan is finished, a list of all items found is produced as shown in the figure below.
All detected threats will be marked. You can remove them all by simply click on Continue to start a cleaning process.
How to decrypt .promoz files
The .Promoz ransomware offers to contact the ransomware’s developers via email@example.com or firstname.lastname@example.org emails in order to get a key to decrypt encrypted files. These persons will require to pay a ransom (usually demand for $490-$980 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the developers of the .Promos ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
Use STOPDecrypter to decrypt .promoz files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.promoz).
Please check the twitter post for more info.
How to restore .promoz files
In some cases, you can restore files encrypted by .Promoz ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.
Recover .promoz encrypted files using Shadow Explorer
The Microsoft Windows has a feature called ‘Shadow Volume Copies’ that can help you to restore .promoz files encrypted by the .Promoz ransomware virus. The way described below is only to restore encrypted documents, photos and music to previous versions from the Shadow Volume Copies using a free tool named the ShadowExplorer.
Click the following link to download the latest version of ShadowExplorer for Windows. Save it directly to your Microsoft Windows Desktop.
Category: Security tools
Update: September 15, 2019
After the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the figure below.
Run the ShadowExplorer utility and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the .Promoz ransomware as displayed below.
Now navigate to the file or folder that you want to restore. When ready right-click on it and press ‘Export’ button like below.
Restore .promoz files with PhotoRec
Before a file is encrypted, the .Promoz ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover applications like PhotoRec.
Download PhotoRec on your PC by clicking on the following link.
Category: Security tools
Update: March 1, 2018
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen as shown on the image below.
Choose a drive to recover as displayed in the following example.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as shown in the figure below.
Click File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where recovered personal files should be written, then press Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as displayed on the image below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Promoz ransomware
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your computer from .Promoz ransomware virus
Download CryptoPrevent on your PC from the following link.
Run it and follow the setup wizard. Once the install is complete, you’ll be shown a window where you can choose a level of protection, like below.
Now click the Apply button to activate the protection.
If you need more help with .Promoz Ransomware virus related issues, go to here.