Remove Promos Ransomware (+.Promos File Recovery)

How to Remove Promos Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

———————————————- ALL YOUR FILES ARE ENCRYPTED ———————————————–

Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
—————————————————————————————————————————
To get this software you need write on our e-mail:
blower@firemail.cc
Reserve e-mail address to contact us:
blower@firemail.cc
Your personal ID:
[redacted 43 alphanumeric chars]

There’s a new variant of the Djvu ransomware. And, it goes by the name Promos. Promos is a crypto locker that targets your data. The infection slithers into your system, then encrypts every file you have. It uses AES cipher to lock your documents, pictures, videos, music, everything! Nothing can escape its influences. It attaches a special extension at the end of each file. Thus, solidifying its hold over your files. Say, you have a song called you.mp3. When the ransomware gets done with it, it becomes you.mp3.promos. Then, you can no longer access it. The infection renders your files unusable. Then, it demands payment, if you wish to make them usable again. The nasty threat extorts you for money. It makes a bunch of promises, but don’t count on it to keep any of them. No matter what it claims it will do, if you comply, odds are, it won’t go through with it. You have to understand, you’re dealing with cyber criminals. Strangers, who encrypt your data, and extort you for its release. Do you think strangers will keep their word, and not break it, once they get your money? Don’t be naive! Don’t contact these people. Don’t reach out to them, in any way. And, pay them nothing! Payment guarantees you nothing but monetary loss.

How did I get infected with?

The Promos tool managed to slip by you, unnoticed. How? Well, it tricked you. The infection preys on your naivety, haste, and distraction. It needs you to skip doing due diligence, and rely on luck. To leave your fate to chance, instead of on vigilance. It needs you NOT to be thorough. Don’t oblige. You see, the ransomware uses a ton of tricks to sneak past you. But neither one can prove successful, if you’re cautious. Attention helps you to catch the cyber threat in the act of attempting invasion. And, deny it access. You see, it uses the old but gold invasive methods to guarantee its success. It hides behind spam emails and freeware. Or, corrupted links, sites, or torrents. It can even pose as a system or program update. Like Java, and Adobe Flash Player. It has a ton of tricks up its sleeve. It’s up to you to look past them, and catch it in the act. Do your due diligence! Remember that caution helps you catch infections in the act of trying to slip by you. Carelessness does not. Choose wisely.

Why is Promos dangerous?

Promos makes your life an even bigger hell. Apart from locking your data, and demanding a ransom, it also messes with your PC. It modifies settings and files, ensuring its operation is as smooth as can be. It also launches a variety of processes, adds registry keys, closes programs, and more. The list is extensive. The infection is rather meddlesome. As soon as Promos strikes, you get a note. The tool leaves you a text file, you can find on your Desktop. It’s a ransom note called “_readme.txt.” The note clues you into your current situation. And, provides instructions for you to follow. You’re expected to pay a ransom of $980 in Bitcoin. When you complete the transfer, you’ll get the decryption key you need. Or, so the cyber kidnappers claim. You may even get a “special offer.” The extortionists can try to convince you that haste can save you money. Supposedly, you get a 50% discount, if you contact them within the first 72 hours of encryption. But that’s yet another way for them to pressure you into compliance. Don’t fall for it. Cyber extortionist are known to turn a blind eye, once they receive the ransom payment. It’s a mistake to trust them. Regardless of the promises, they make, they will double-cross you. The odds are NOT in your favor. Don’t make the mistake of falling for false promises. Don’t fall for the lies of scheming individuals. These people only care for your money. Don’t give it to them! The ransom note opens with “Don’t worry, you can return all your files!” But, can you? If you pay them, you’re left at their mercy. You have to wait to receive the decryption key. They can choose not to send one, or send the wrong one. And, even if they’re kind enough to give you the proper one, what then? You paid money to remove a symptom, but not the infection. You got rid of Promos’ encrypting, but not f Promos itself. Think about that. Pay these people nothing.

Promos Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Promos Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Promos encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Promos encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.