.promock Files Virus (STOP/DJVU) – How to Remove It

.promock Files Virus (STOP/DJVU) – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to best explain what is the .promock file extension ransomware, how to remove it from your computer and how you can try and restore files, encoded by it.

Yet another variant of STOP/DJVU ransomware family, carrying the .promock file extension was recently identified by malware researchers. The ransomware virus aims to render the files on the computers that have been infected by it to a no longer “able to be opened” state. The virus also aims to get users to see it’s ransom note file, where it extorts victims to pay ransom if they want to see their files again. If you have problems with the .promock file ransomware, we recommend that you read this article thoroughly.

Threat Summary

Name.promock Files Ransomware
TypeRansomware, Cryptovirus
Short DescriptionAims to render the files on the compromised computers by it to no longer be able to be opened In order to extort victims into paying ransom to get their files back.
SymptomsFiles cannot be opened and have the .promock file extension. The ransomware drops a _readme.txt ransom note, containing the extortionists’ message.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .promock Files Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .promock Files Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.promock File Ransomware – Distribution

For the .promock files virus to be spread onto victim computers, the ransomware may use different methods. One of them is to send victims e-mails that appear to be carrying legitimate documents as e-mail attachments. These types of malspam (malicious spam) messages may often carry attachments of various types, such as invoices, receipts and other supposedly real documents that are important. The messages often have convincing text in them, for example:

In addition to e-mails, the .promock ransomware may also be spread as a result of being added as a program, that is just what the users are looking to download for free online. Such software often turns out to be installers of different programs, patches for software or games, cracks for games or programs, license activator for Windows or other software, portable version of a paid program and many other programs of this type.

.promock Files Virus – More Information

As soon as infection with the .promock files ransomware takes place on the victim PC, the ransomware may silently drop it’s malicious files on the targeted system. The files may reside in the following Windows directories;

  • %Local%
  • %LocalLow%
  • %Temp%
  • %ProgramData%
  • %Windows%
  • %SystemDrive%
  • %system32%
  • %Roaming%

When the malicious files of .promock ransomware are dropped, the virus may begin to perform other activities on the infected PC, such as set the ransom note file _readme.txt to appear so that victims can see it. This extortionist message has the following contents:

———————————————- ALL YOUR FILES ARE ENCRYPTED ———————————————–

Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
[redacted 43 alphanumeric chars]

As soon as .promock ransomware drops the malicious files on our computer, it may also begin to perform the following malicious activities prior to starting file encryption:

  • Check to see if it’s running on a real PC or a virtual drive and if so it may self-terminate.
  • Obtain your IP address.
  • Obtain your location and language settings.
  • Check if a variant of STOP ransomware has already attacked your PC in the past and if so, it may self-terminate.
  • Obtain your passwords and logins.
  • Obtain important files.

Furthermore, the .promock files virus is also a variant of STOP ransomware, which means that you may encounter it In other versions as well, like the recently detected

.promorad one. Just like it, the virus may start to create value strings in the Windows registry editor. The primary sub-keys that it may attack there coult turn out the be the following:

→ \LogonUI\Background
\Control Panel\Desktop

The main idea behind these registry sub-keys is to change different settings of Windows by creating value strings in those keys with custom data within those values.

In addition to this, the .promock ransomware could also be coded to delete the Windows Backups and shadow volumes on computers that have been compromised by it and this may likely happen by executing the following Windows command prompt lines:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.promock Ransomware – Encryption Process

To encrypt files, the .promock ransomware may use the very same encryption algorithm as the other versions of the virus – AES or Advanced Encryption Standard. This is the type of cipher that encrypts bytes of data from the file set to be encoded and then replaces it with the encryption algorithm’s data. After the encryption, an assymetric key is generated, to correspond to the files and decrypt them via specific decryption software, which is held only by the crooks.

The encryption process may target a lot of file types, some of which may be among the following:


After the encryption process of .promock ransomware is complete, the virus leaves the files to appear as if they are corrupt and when you try to open them, Windows cannot find the proper software to open the files with:

Remove .promock Files Virus and Try Restoring Data

If you want to remove the .promock file ransomware, we recommend that you follow the removal instructions that are posted underneath this article, but before doing this, it is a good idea to backup your files.

The instructions below are divided in manual removal (first two steps) and automatic removal so that if you fail to delete this virus manually or feel uncertain, you also have a professional automatic solution available. Such solution lies within the face of an advanced malware removal software, created to automatically detect and delete the files and objects of this virus and make it so that they no longer appear on your computer again.

If you want to restore files, encrypted by the .promock ransomware on your computer, we would strongly recommend that you check the alternative methods for file recovery below. They have been created with the main idea to help you retrieve as many files as possible, but do not count that they work with 100% effectiveness.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share