.Promorad file extension ransomware (Decrypt, restore .promorad files)

A new variant of ransomware virus has been discovered by computer security specialists. It appends the .promorad file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails and malware.

Immediately after the launch, the .Promorad ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:

.pak, .jpeg, .xmind, .xy3, .sql, .orf, .bkf, .sum, .odp, .w3x, .wgz, .x3f, .vcf, .webp, .crw, .xlsx, .dng, .asset, .xf, .rw2, .syncdb, .qdf, .wb2, .raf, .ws, .wbk, .wma, .wp6, .pem, .vpk, .wcf, .wps, .svg, .xlsm, .zdc, .3dm, .mef, .cdr, .xlk, .xbdoc, .xxx, .wotreplay, .indd, .xmmap, .rwl, .odc, .txt, .ff, .css, .bar, .crt, .odb, .wbz, .db0, .iwd, .sid, .rgss3a, .wmv, .flv, .itl, .iwi, .xyp, .hkdb, .xlgc, .xpm, .erf, .x, .rtf, .dxg, .1, .p7c, .bkp, .ods, .xar, .wn, .wpd, .wp5, .ntl, .mp4, .3fr, wallet, .doc, .srf, .mrwref, .slm, .epk, .wsd, .wmo, .xml, .arch00, .hkx, .lvl, .pptm, .sb, .wpg, .cer, .yml, .docm, .lrf, .2bp, .qic, .ibank, .snx, .itdb, .fpk, .t13, .wbc, .3ds, .srw, .wbm, .wot, .x3d, .mddata, .ysp, .wsc, .jpe, .xdl, .xlsb, .docx, .odm, .y, .itm, .der, .pfx, .wpb, .z3d, .wbd, .xyw, .z, .wdp, .das, .wmd, .dcr, .xbplate, .ptx, .sav, .sr2, .icxs, .xx, .bay, .vfs0, .pef, .dmp, .ltx, .wm, .r3d, .bc7, .kdb, .xld, .raw, .p7b, .mdbackup, .pptx, .kf, .fos, .cr2, .arw, .zif, .xlsm, .rim, .layout, .pst, .accdb, .pkpass, .xls, .forge, .wsh, .dbf, .csv, .mov, .hvpl, .zip, .wpl, .zip, .cfr, .0, .upk, .dba, .rofl, .nrw, .m2, .ai, .bsa, .wpd, .bik, .wma, .wpw, .x3f, .big, .avi, .tor, .m4a, .kdc, .mdb

Once the encryption process is finished, it will drop a ransom note called “_readme.txt” offering decrypt all users files if a payment is made. An example of the ransom note is:

ATTENTION!


Don't worry my friend, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-ll0rIToOhf
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
blower@india.com

Reserve e-mail address to contact us:
blower@firemail.cc

Instructions that is shown below, will help you to remove .Promorad ransomware virus as well as recover (decrypt) encrypted photos, documents and music stored on your computer drives.

Table of contents

1. How to remove .Promorad ransomware
2. How to decrypt .promorad files
3. Use STOPDecrypter to decrypt .promorad files
4. How to restore .promorad files
5. How to protect your computer from .Promorad ransomware?
6. To sum up

How to remove .Promorad ransomware

There are a few ways which can be used to remove .Promorad ransomware. But, not all malware like this ransomware virus can be completely deleted using only manual ways. Most commonly you are not able to remove any ransomware virus utilizing standard Windows options. In order to remove .Promorad ransomware you need use reliable removal tools. Most IT security specialists states that Zemana Anti-malware, Malwarebytes or KVRT tools are a right choice. These free programs are able to find and delete .Promorad ransomware virus from your computer for free.

Run Zemana Anti-malware to remove Promorad ransomware

You can remove .Promorad ransomware automatically with a help of Zemana Anti-malware. We suggest this malicious software removal tool because it can easily remove ransomware viruses, trojans, adware and toolbars with all their components such as folders, files and registry entries.

Installing the Zemana Free is simple. First you’ll need to download Zemana Anti Malware (ZAM) from the link below. Save it on your Desktop.

Once the downloading process is complete, start it and follow the prompts. Once installed, the Zemana Free will try to update itself and when this process is done, click the “Scan” button to find .Promorad ransomware and other security threats.

Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. While the tool is scanning, you can see number of objects and files has already scanned. Once you have selected what you want to remove from your PC system click “Next” button.

The Zemana Anti-Malware will remove .Promorad ransomware and other kinds of potential threats such as malicious software and potentially unwanted applications.

How to remove .Promorad ransomware with MalwareBytes

We recommend using the MalwareBytes Free. You can download and install MalwareBytes Anti-Malware to search for and remove Promorad ransomware from your computer. When installed and updated, this free malicious software remover automatically identifies and deletes all threats exist on the PC system.

1. Visit the following page to download MalwareBytes AntiMalware (MBAM). Save it to your Desktop so that you can access the file easily.
   
   

   Malwarebytes Anti-malware
   327224 downloads
   Author: Malwarebytes
   Category: Security tools
   Update: April 15, 2020
   
2. At the download page, click on the Download button. Your internet browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
3. When the downloading process is finished, please close all software and open windows on your personal computer. Double-click on the icon that’s named mb3-setup.
4. This will launch the “Setup wizard” of MalwareBytes Anti-Malware onto your machine. Follow the prompts and don’t make any changes to default settings.
5. When the Setup wizard has finished installing, the MalwareBytes Free will open and display the main window.
6. Further, click the “Scan Now” button to start checking your PC system for the .Promorad ransomware virus related files, folders and registry keys. While the MalwareBytes Anti-Malware (MBAM) program is checking, you may see how many objects it has identified as threat.
7. Once MalwareBytes has completed scanning, MalwareBytes Anti-Malware will show a scan report.
8. Next, you need to press the “Quarantine Selected” button. Once the procedure is done, you may be prompted to reboot the computer.
9. Close the AntiMalware and continue with the next step.

Video instruction, which reveals in detail the steps above.

Remove .Promorad ransomware virus with KVRT

KVRT is a free portable program that scans your PC for malware and ransomware such as Promorad ransomware and allows remove them easily. Moreover, it will also help you remove any malicious web-browser extensions and add-ons.

Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it to your Desktop so that you can access the file easily.

When the download is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you will see the Kaspersky virus removal tool screen as displayed below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to detect .Promorad ransomware virus and other trojans and harmful applications. This task may take some time, so please be patient. When a threat is detected, the number of the security threats will change accordingly.

Once Kaspersky virus removal tool has finished scanning your computer, KVRT will show a list of found items as on the image below.

Review the report and then press on Continue to start a cleaning task.

How to decrypt .promorad files

The .Promorad ransomware virus encourages victim to contact it’s makers in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $490-980 in Bitcoins).

If your documents, photos and music have been locked by the .Promorad ransomware virus, We advises: do not to pay the ransom. If this malicious software make money for its makers, then your payment will only increase attacks against you. Of course, decryption without the private key is not possible, but that does not mean that the .Promorad ransomware virus must seriously disrupt your live.

With some variants of .Promoz Ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.

Use STOPDecrypter to decrypt .promorad files

Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).

STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.promorad).

Please check the twitter post for more info.

How to restore .promorad files

In some cases, you can restore files encrypted by .Promorad ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.

Run ShadowExplorer to recover .promorad files

An alternative is to recover .promorad photos, documents and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing personal files that were locked by .Promorad ransomware virus. The guide below will give you all the details.

ShadowExplorer can be downloaded from the following link. Save it on your Desktop.

Once the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.

Double click ShadowExplorerPortable to start it. You will see the a window as displayed in the following example.

In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as displayed on the image below (1 – drive, 2 – restore point).

On right panel look for a file that you wish to recover, right click to it and select Export as on the image below.

Run PhotoRec to recover .promorad files

Before a file is encrypted, the .Promorad ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file restore programs like PhotoRec.

Download PhotoRec on your Windows Desktop from the link below.

After downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.

Double click on qphotorec_win to run PhotoRec for Windows. It will show a screen as displayed on the image below.

Select a drive to recover as shown in the figure below.

You will see a list of available partitions. Select a partition that holds encrypted personal files as shown in the following example.

Click File Formats button and choose file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.

Next, press Browse button to select where recovered documents, photos and music should be written, then click Search.

Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.

When the recovery is done, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as shown on the screen below.

All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your computer from .Promorad ransomware?

Most antivirus applications already have built-in protection system against the virus. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.

Use HitmanPro.Alert to protect your personal computer from .Promorad ransomware virus

HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.

HitmanPro Alert can be downloaded from the following link. Save it on your Desktop.

Once the downloading process is finished, open the file location. You will see an icon like below.

Double click the HitmanPro.Alert desktop icon. After the tool is started, you’ll be displayed a window where you can select a level of protection, like below.

Now press the Install button to activate the protection.

To sum up

Now your PC should be free of the .Promorad ransomware. Uninstall MalwareBytes AntiMalware and KVRT. We recommend that you keep Zemana (to periodically scan your personal computer for new malicious software). Make sure that you have all the Critical Updates recommended for Windows OS. Without regular updates you WILL NOT be protected when new virus, malicious applications and adware are released.

If you are still having problems while trying to remove .Promorad ransomware virus from your PC system, then ask for help here.