.promorad Files Virus (STOP/DJVU) – How to Remove It

This article has been created with the main idea of helping you understand what is the .promorad ransomware, how you can remove it and how you can try and restore .promorad encrypted files.

Yet another variant of STOP/Djvu ransomware was recently discovered by security researcher Michael Gillespie(@demonslay335). The ransomware aims to encrypt the files on the computers, compromised by it and then set the file extension .promorad to the encrypted files. The ransomware also drops a note file, explaining to victims that they must pay ransom in order to get their files recovered back to normal and working once again. If your computer was recently infected by .promorad ransomware, we would strongly suggest that you read this article thoroughly.

Threat Summary

Name.promorad Ransomware
TypeRansomware, Cryptovirus
Short DescriptionIt’s main goal is to encrypt the files on the compromised computers by it and then ask victims to pay ransom in order to retrieve them.
SymptomsFiles are encrypted and have the .promorad file extension added. A ransom note file is dropped, called _readme.txt and it demands victims to pay hefty ransom to get the files to work again.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by malware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .promorad Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

NOTE! Update March 12, 2019
According to security researcher Michael Gillespie, the .promorad variant of STOP ransomware also downloads and

In addition to the encryption capabilities, STOP ransomware is now able to install AZORult Trojan with the help of a file detected as 5.exe.
executes a file known as 5.exe. Upon execution, the file creates network traffic which is very similar to the command and control server communications of the well-known AZORult Trojan stealer. This simply means that victims of .promorad file virus may also get infected with the AZORult Trojan, which is a dangerous spyware.

The Trojan is designed to steal various types of data such as account credentials, desktop files, cryptocurrency wallets, browser history, Skype message history, among others. Once harvested, the victim’s data in uploaded to a remote server. To remove both infections and all their associated files fully, the best option may be to use an anti-malware program.

.promorad Files Virus – Distribution

To successfully infect your computer, .promorad ransomware may come via different attack methods. The main attack method used by this virus is to spread the malicious files, belonging to it via e-mail. These e-mails may replicate infection files as e-mail attachments. These files may appear as if they are legitimate documents that are of utmost importance, like:

  • Reports for closed accounts.
  • Banking documents.
  • Invoices for a purchase.
  • Receipt for a purchase.
  • Notification letters for a refund.
  • Documents for cancelled order.

Once victims open those e-mails and download the attachments, the infection may occur once the fake document is opened.

Another strategy that may be used by the .promorad files virus to infect users is to get them to infect compromised computers via various different types of files that are uploaded on suspicious or compromised websites. These types of files often turn out to be:

  • Fake setups of programs.
  • Fake versions of portable software..
  • Patches.
  • Cracks.
  • Updates.
  • Key generators.

.promorad Ransomware – Activity Report

Once .promorad files ransomware has already infected your computer, the virus aims to create various different types of files that may be under different names and may be located in the commonly targeted folders of Windows:

In addition to the files dropped on the computers of victims, the .promorad ransomware also drops it’s ransom note file, called _readme.txt and the note has the following message to victims:

———————————————- ALL YOUR FILES ARE ENCRYPTED ———————————————–

Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
[redacted 43 alphanumeric chars]

The .promorad files virus is part of the STOP/DJVU ransomware virus family and it has a lot of virus variants so far:

After dropping the ransom note and other files on victim computers, the .promorad variant of STOP ransomware may also create mutexes and use it’s administrator privileges to allegedly modify the following Windows Registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In those sub-keys, the .promorad file ransomware may drop several different value strings with data in them, whose main idea is to get the malicious file that is responsible for encryption to run automatically each time users boot Windows.

In addition to modifying the registry editor, the .promorad ransomware may also delete the shadow copies on the infected computer by execuing a script that deletes them via Windows Command Prompt. Among the commands executed in the script may be the following:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.promorad Ransomware – Encryption

To encrypt the files on the compromised computer, .promorad ransomware virus may look for them by scanning for their file extensions, for example .docx, .jpg, .pdf, and other often used file types. The file types that may be targeted by this ransomware virus may be the following:

  • Documents.
  • Videos.
  • Images.
  • Archives.
  • Virtual Drive files.
  • Audio files.
  • Other files, belonging to often-used programs.

After encryption, the STOP ransomware may set the .promorad file extension to the encrypted files, making them appear like the image below shows:

Remove .promorad Files Virus and Try Restoring Data

If you want to get rid of the .promorad ransomware, we suggest you to be careful, because any rushed actions may result in your files permanently breaking. This is why, we always recommend to either create a system image of Windows or do a fresh backup of your files, even if they are encrypted.

If you want to remove the .promorad file ransomware manually from your computer, we would recommend that you follow the removal instructions that are underneath this article. They have been created with the main idea in order to help you delete the virus files of this infection either by yourself or automatically. If the manual removal does not help you, we would suggest what most cyber-security experts advise and that is to download and install an advanced anti-malware software, whose main goal is to automatically scan your computer for malicious files and then make sure to remove all of the files and objects related to .promorad file ransomware.

If you want to try and restore files, encrypted by this ransomware virus, we would strongly suggest that you try the alternative methods for file recovery we have suggested below. They may not be a 100% solution to recover all your files, but with their aid, you might be able to retrieve at least some of your data.


Ventsislav Krastev

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share