Computers on Focus - Online Security Guide

05:44 pm
14 November 2024

.PROMORAD2 Ransomware Virus – How to Remove It

This post is made in order to show you what is are .promorad2 encrypted files, how to remove the .promorad2 ransomware virus from your computer and how you can try and get .promorad2 files to work again without paying any ransom.

A ransomware virus, using the .promorad2 file extension was recently detected to be yet another part of the STOP/DJVU ransomware strain. The virus’s main purpose is to encrypt files on the computers that have been compromised by it and then leave behind a readme text file which aims to induce fear into victims that if they do not pay ransom fee in BitCoin, their files will be permanently lost. If your computer has been infected by the .promorad2 files ransomware, we would strongly suggest that you read this article as it has more info on how this threat works and how you can remove it withoot risk to your files.

The .promorad2 Ransomware virus has been spotted using the its own file extension. The .promorad2 Ransomware virus also communicates via TOR through which it sends a decrypter after the ransom has been paid. In case you are a victim of the new .promorad2 Ransomware virus we advise you to read this article and learn how to remove the virus files and try to decode encrypted objects.

.promorad2 Ransomware Virus – What Does It Do

Being a variant of the ransomware family, which exists in a lot of virus families, the .promorad2 Ransomware ransomware has been reported to drop one or more executable files in the %AppData% Windows directory.

After doing so, the .promorad2 Ransomware virus may modify the Windows registry entries, more specifically the Shell sub-key with the following location:

  • HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon/Shell

Then, the .promorad2 Ransomware virus may also modify the Run registry key to run the executable file(s) in the %AppData% directory. The key is with the following path:

  • HKLM/Software/Microsoft/Windows/CurrentVersion/Run/

This may result in the virus file booting alongside the Windows start-up process.

.promorad2 Ransomware also drops a ransom note file with a ransom message and places it somewhere easy to locate. Then, the .promorad2 Ransomware virus may attack files with the following file types to encrypt them:

  • Videos.
  • Images.
  • Documents.
  • Audio files.
  • Archives.

After .promorad2 Ransomware encrypts the files, the virus leaves the files no longer able to be opened and likely appends a custom file extenson to them.

.promorad2 Ransomware Ransomware – How Did I Get Infected

The infection process of .promorad2 Ransomware is conducted primarily via spammed e-mails that have deceptive messages embedded within them. Such messages may pretend to be sent from services such as PayPal, UPS, FedEx and others. They may contain attachments that pretend to be invoices and other fake type of files. Other social engineering techniques include:

  • Fake buttons and pictures as if the e-mails are sent from a social media site, like LinkedIn.
  • Fraudulent PayPal links.
  • Links to GoogleDrive and fake e-mails that look the same as if they are sent from Google.

Other infection tools may also include the usage of torrent websites and other third-party sites to upload fake updates, fake installers as well as other fraudulent executables.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.