.promorad2 Files Virus (STOP) - How to Remove It

.promorad2 Files Virus (STOP) – How to Remove It

This post is made to help you understand what are .promorad2 file ransomware and show you ways via which you can try to remove it from your computer.

An updated variant of the .promorad file extension ransomware has been released, carrying the .promorad2 file extension. The ransomware aims to encrypt the files on the computers that have been infected by it and then adds the .promorad2 file suffix to them. After encryption, files can no longer be used and victims are asked to pay ransom to the cyber-criminals in order to get their files to work once again. If your computer was recently infected by .promorad2 file extension ransomware, we strongly suggest that you read this article as it contains more information on the virus and shows you how to remove it and try to get your files back.

Threat Summary

Name.promorad2 Ransomware
TypeRansomware, Cryptovirus
Short DescriptionIt’s main goal is to encrypt the files on the compromised computers by it and then ask victims to pay ransom in order to retrieve them.
SymptomsFiles are encrypted and have the .promorad2 file extension added. A ransom note file is dropped, called _readme.txt and it demands victims to pay hefty ransom to get the files to work again.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .promorad2 Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .promorad2 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.promorad2 Files Virus – Update 2019

There has been some development regarding the .promorad2 threat. The virus has been officially declared to be a part of the STOP/DJVU’s latest family of viruses. So far, this family of viruses has been detected to spread each variant at an even higher infection rate, suggesting that the cyber-criminals behind STOP ransomware are improving the way they operate. So far, the following variants, concerning STOP ransomware have been detected:

Researchers have broken the old variants of STOP/DJVU and they are now decryptable. However, the newer versions of the virus still return no decryption keys to be added.

The virus variants of .promorad2 ransomware virus are still active and researchers believe that this virus is purchased on the dark net markets and is allegedly a RaaS (ransomware as a service). The main idea behind this strategy is for the actual developers of STOP Ransomware. We will keep monitoring STOP ransomware and further update if a decryptor is released, but for now it is stronlgy reccomended not to pay any ransom to the cyber-criminals and to make a backup image of Windows or back your files up via other means to wait for a decryptor to be released.

.promorad2 Files Virus – Distribution

The infection with the .promorad2 file ransomware could be conducted in several different ways. One of them is to spread the infection file by sending out e-mails that contain the malicious files and objects disguised as legitimate type of files. These files often resemble the following documents:

  • Reports for closed accounts.
  • Banking documents.
  • Invoices for a purchase.
  • Receipt for a purchase.
  • Notification letters for a refund.
  • Documents for cancelled order.

Besides via e-mail, the ransomware may also be spread by having the malicious files uploaded on suspicious sites. There, the files may look as if they are what the user is seeking to download, for example:

  • Fake setups of programs.
  • Fake versions of portable software..
  • Patches.
  • Cracks.
  • Updates.
  • Key generators.

.promorad2 Ransomware – Activity Report

The .promorad2 ransomware virus is the type of infection, which drops its payload on your computer once it infects it. The payload may be created in the following Windows directories:


Once the virus files of .promorad2 ransomware are dropped on the infected computer, this variant of STOP ransomware also drops its ransom note file, called “_readme.txt”.

The _readme.txt ransom note’s content:

———————————————- ALL YOUR FILES ARE ENCRYPTED ———————————————–

Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
[redacted 43 alphanumeric chars]

The .promorad2 file ransomware is the type of virus that is one of many ransomware variants that exist out there. Other variants of the STOP ransomware family have been detected to be using the following extensions:

The .promorad2 file ransomware is involved in many malicious activities, among which may be to modify the Windows Registry Editor. To do this, the .promorad2 ransomware may add registry values in the following registry sub-keys of Windows:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The .promorad2 files virus may also delete the shadow copies on the computers that have been infected by it, preferably by executing several commands as an administrator in Windows Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.promorad2 Ransomware – Encryption

The .promorad2 files virus aims to encrypt files on the machines infected by it, with the main goal to target only files that are used very often. Such files are:

  • Documents.
  • Videos.
  • Images.
  • Archives.
  • Virtual Drive files.
  • Audio files.
  • Other files, belonging to often-used programs.

The encryption process of .promorad2 file ransomware is used to replace blocks of data from the original files with data from the encryption cipher used by the virus, which is usually one of the following encryption algorithms:

  • AES.
  • RSA.
  • ECB.
  • Salsa20.

Once the .promorad2 file ransomware encrypts the files on the computers that have been infected by it, the virus may also lock them down, using a so-called CBC-mode, also known as Cipher-Block-Chaining. This mode effectively makes sure that the virus files of .promorad2 ransomware are encrypted beyond saving and are linked to one another so that if the victim tries to manually change the extension or decrypt them, the chain may break and the files will be lost forever.

The files, encrypted by .promorad2 file ransomware are usually encrypted with the .promorad2 file extension appended to them, making them appear like the following:

Remove .promorad2 Files Virus and Try Restoring Data

To make sure that .promorad2 file ransomware is fully erased, we recommend you to do a fresh backup of your files beforehand.

Then, to remove .prmorad2 ransomware, we strongly suggest that you follow the removal steps down below. They have been made to help you delete this variant of STOP ransomware either by yourself or automatically, which can also save you some time. If manual removal (first two steps), does not seem to help you out, we do recommend what most cyber-sec experts would advise – to use an advanced anti-malware software. Such program aims to scan your computer for any malicious files and folders and then automatically take care of the threat for you, plus protect your computer against future threats as well.

If you want to try and get your files back, we do recommend that you give the alternative file recovery methods underneath a try. They may not come with a 100% guarantee to work, but with their aid, you might be able to restore at least some of your encrypted files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

1 Comment

  1. Avatarronald revilla

    como puede haber gente tan malintencionada… tengo la informacion de casi 2años de trabajo alli y ahora estan cifrados por este virus… no se que hacer


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share