Experienced security researchers discovered a new variant of ransomware, which called .Promorad2 ransomware. It appends the .promorad2 file extension to encrypted file names. This post will provide you with all the things you need to know about this ransomware virus, how to get rid of ransomware from your machine and how to recover (decrypt) .Promorad2 files for free.
Immediately after the launch, the .Promorad2 ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.raf, .wpt, .hkdb, .wmf, .itm, .srw, .wot, .sr2, .raw, .xdl, .pfx, .rw2, .crw, .esm, .lbf, .odc, .rar, .pef, .0, .svg, .jpg, .arch00, .odm, .wdp, .js, .mddata, .css, .wbk, .nrw, .xpm, .pem, .icxs, .rb, .xll, .hplg, .pkpass, .xlsm, wallet, .rgss3a, .mov, .yal, .xlsb, .x3d, .vtf, .cas, .sidn, .zdc, .jpeg, .qdf, .itl, .ptx, .wmo, .p7b, .mp4, .3ds, .xls, .py, .wp, .snx, .psd, .bar, .m2, .sid, .x3f, .epk, .tor, .bik, .bay, .kdc, .lvl, .apk, .wmd, .1, .cdr, .vpp_pc, .vpk, .indd, .m4a, .wgz, .x3f, .xwp, .doc, .pdf, .asset, .pptm, .bkf, .das, .pak, .csv, .rofl, .odb, .wp5, .ysp, .wpa, .zif, .wps, .slm, .docm, .xbdoc, .7z, .wsc, .xlk, .wsd, .mef, .mdbackup, .bkp, .wire, .z, .kdb, .dba, .xlsx, .wav, .dwg, .xdb, .db0, .webdoc, .wri, .sb, .xy3, .zi, .xmind, .wmv, .qic, .3fr, .zw, .wp7, .accdb, .ncf, .zabw, .wp6, .mdf, .wma, .wbz, .wotreplay, .eps, .rtf, .wpw, .ppt, .wpg, .hkx, .sie, .psk, .xyp, .menu, .wn, .wsh, .map, .dbf, .wdb, .wpb, .xmmap, .lrf, .wcf, .pptx, .fsh, .r3d, .pst, .erf, .dcr, .fos, .ntl, .3dm, .odp, .zip, .xls, .hvpl, .ibank, .xml, .mrwref, .zip, .w3x, .xlsx, .xx, .mcmeta, .crt, .pdd, .ff, .wm, .wb2, .yml, .flv, .xlsm, .webp, .xld, .layout, .mlx, .wbm, .xbplate, .fpk, .wp4, .ai, .wpd, .x, .ltx, .blob, .d3dbsp, .wbd, .ztmp, .odt, .dmp, .wmv, .arw, .upk, .sql, .xf, .vcf, .xar, .1st
When the ransomware encrypts a file, it will append the .promorad2 extension to every encrypted file. Once the virus finished enciphering of all documents, photos and music, it will create a file named “_readme.txt” with ransomnote on how to decrypt all photos, documents and music. You can see an one of the variants of the ransomnote below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-PkTh0Y7Koy Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: firstname.lastname@example.org Reserve e-mail address to contact us: email@example.com Your personal ID:
It is very important to follow the step-by-step guidance below as quickly as possible. The few simple steps will help you to remove .Promorad2 ransomware. What is more, the few simple steps below will help you recover encrypted documents, photos and music for free.
Table of contents
- How to remove .Promorad2 ransomware
- How to decrypt .promorad2 files
- Use STOPDecrypter to decrypt .promorad2 files
- How to restore .promorad2 files
- How to protect your system from .Promorad2 ransomware virus?
- To sum up
How to remove .Promorad2 ransomware
We can help you remove .Promorad2 ransomware virus, without the need to take your computer to a professional. Simply follow the removal tutorial below if you currently have the virus on your system and want to remove it. If you have any difficulty while trying to remove ransomware virus, feel free to ask for our assist in the comment section below. Read it once, after doing so, please print this page as you may need to shut down your browser or restart your PC system.
How to remove .Promorad2 ransomware with Zemana Anti-malware
Zemana Anti-malware is a tool which can remove ransomware viruses, adware, PUPs, hijackers and other malicious software from your computer easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of PC system resources.
Download Zemana Anti-Malware (ZAM) from the link below. Save it on your MS Windows desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is done, start it and follow the prompts. Once installed, the Zemana will try to update itself and when this process is finished, press the “Scan” button to begin scanning your computer for the .Promorad2 ransomware related files, folders and registry keys.
This procedure can take quite a while, so please be patient. When a malware, adware software or potentially unwanted software are detected, the count of the security threats will change accordingly. Once you have selected what you want to delete from your PC system click “Next” button.
The Zemana Anti-Malware will delete .Promorad2 ransomware virus related files, folders and registry keys.
Automatically remove Promorad2 ransomware with MalwareBytes Anti Malware
If you are having problems with the Promorad2 ransomware removal, then download MalwareBytes Free. It’s free for home use, and detects and removes various unwanted programs that attacks your computer or degrades system performance. MalwareBytes AntiMalware can delete adware software, PUPs as well as malware, including ransomware and trojans.
MalwareBytes can be downloaded from the following link. Save it directly to your Windows Desktop.
Category: Security tools
Update: April 15, 2020
Once the download is finished, close all windows on your computer. Further, open the file called mb3-setup. If the “User Account Control” prompt pops up as displayed in the figure below, click the “Yes” button.
It will display the “Setup wizard” which will assist you install MalwareBytes Anti-Malware on the personal computer. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, click Finish button. Then MalwareBytes Free will automatically run and you can see its main window like below.
Next, press the “Scan Now” button for checking your PC system for the Promorad2 ransomware and other malicious software and potentially unwanted programs. While the tool is scanning, you can see how many objects and files has already scanned.
Once MalwareBytes AntiMalware (MBAM) has finished scanning, you will be displayed the list of all found threats on your PC. Review the results once the tool has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Quarantine Selected” button.
The MalwareBytes will remove Promorad2 ransomware and other kinds of potential threats like malicious software and trojans. When the task is done, you can be prompted to reboot your personal computer. We advise you look at the following video, which completely explains the procedure of using the MalwareBytes to get rid of browser hijackers, adware and other malware.
Use KVRT to delete .Promorad2 ransomware virus
KVRT is a free removal utility that can check your PC system for a wide range of security threats such as the .Promorad2 ransomware, adware, PUPs as well as other malicious software. It will perform a deep scan of your PC including hard drives and Microsoft Windows registry. Once a malware is found, it will allow you to remove all found threats from your computer by a simple click.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it to your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the KVRT icon. Once initialization procedure is done, you will see the Kaspersky virus removal tool screen as shown on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to perform a system scan for the .Promorad2 ransomware and other malware. Depending on your PC system, the scan may take anywhere from a few minutes to close to an hour. When a threat is detected, the number of the security threats will change accordingly.
After Kaspersky virus removal tool has finished scanning, Kaspersky virus removal tool will show a list of detected items as displayed on the screen below.
Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to begin a cleaning procedure.
How to decrypt .promorad2 files
The encryption mode is so strong that it is practically impossible to decrypt .promorad2 files without the actual encryption key. The bad news is that the only way to get your files back is to pay ($490-980 in Bitcoins) developers of the .Promorad2 ransomware virus for a copy of the private (encryption) key.
There is absolutely no guarantee that after pay a ransom to the developers of the .Promorad2 ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
Use STOPDecrypter to decrypt .promorad2 files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.promorad2).
Please check the twitter post for more info.
How to restore .promorad2 files
In some cases, you can restore files encrypted by .Promorad2 ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Restore .promorad2 files with ShadowExplorer
An alternative is to restore .promorad2 personal files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Microsoft Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing personal files that were damaged by .Promorad2 ransomware. The tutorial below will give you all the details.
Click the following link to download ShadowExplorer. Save it to your Desktop.
Category: Security tools
Update: September 15, 2019
When the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the figure below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed in the figure below.
In top left corner, select a Drive where encrypted documents, photos and music are stored and a latest restore point as displayed in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed in the following example.
Use PhotoRec to restore .promorad2 files
Before a file is encrypted, the .Promorad2 ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover apps like PhotoRec.
Download PhotoRec from the following link.
Category: Security tools
Update: March 1, 2018
Once downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as displayed below.
Select a drive to recover as shown on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted files as displayed below.
Click File Formats button and choose file types to restore. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, press Browse button to choose where recovered personal files should be written, then press Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as shown in the figure below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your system from .Promorad2 ransomware virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your PC system from .Promorad2 ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your personal computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows OS from Microsoft Windows XP to Windows 10.
HitmanPro.Alert can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: March 6, 2019
Once downloading is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the utility is launched, you will be shown a window where you can choose a level of protection, as displayed below.
Now click the Install button to activate the protection.
To sum up
Once you’ve done the tutorial shown above, your PC system should be clean from .Promorad2 ransomware virus and other malicious software. Your PC system will no longer encrypt your photos, documents and music. Unfortunately, if the few simple steps does not help you, then you have caught a new ransomware, and then the best way – ask for help here.