.promoz Files Virus – How to Remove It

.promoz Files Virus – How to Remove It

This article has been created with the main idea to help explain what is the .promoz file ransomware, how to remove it from your computer and how you can try and restore files, encrypted by it.

Yet another variant of the STOP/Djvu ransomware strain was detected by malware researcher Michael Gillespie (@demonslay335). The ransomware is an evolved variant of the previously detected

.promos ransomware virus and the main idea of those is that this infection encrypts your files and makes them unable to be opened, until you pay ransom in order to get them to work once more. In case your computer has been infected by the .promoz file ransomware, we recommend that you read this article thoroughly.

Threat Summary

Name.promoz File Ransomware
TypeRansomware, Cryptovirus
Short DescriptionHas the main goal of encrypting your files so that you can no longer use them and then asks you to pay ransom in order to get them to work again.
SymptomsFiles are encrypted with the added .promoz file extension. A ransom note, called _readme.txt with the e-mail blower@firemail.cc appears.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .promoz File Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .promoz File Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.promoz Ransomware – Distribution Tactics

The .promoz file ransomware may be distributed via multiple different ways and among those two primary types exist:

  • Infection via a malicious file.
  • Infection via malicious URL.

The infection process via malicious files can be conducted via e-mail messages that may be sent to victims, carrying the malicious attachments, similar to what the image below shows;

The e-mails may pretend to carry important types of documents such as invoices or receipts of purchases and these documents often turn out to contain malicious macros that cause the infection once you enable the content on the documents.

In addition to this, other types of files may also be used to infect victims, when they randomly browse the web to download something they are looking for. These types of files usually pretend to be:

  • Setups of programs.
  • Portable executable files of programs.
  • Cracks.
  • Patches.
  • Activation programs.
  • Key generators.

In addition to malicious files, your computer may also become a victim of .promoz ransomware as a result of malicious web links that may contain JavaScript or other type of auto-execute scripts and simply visiting the web link can comrpomise you. These types of links are many and it is very difficult to predict an infection of this type, so an anti-malware protection with web shield should be used for future prevention.

.promoz Files Virus – Activity

When an infection with the .promoz ransomware takes place on your computer, the ransomware may drop it’s virus files in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

The behaviour is very similar to other variants of the same ransomware family as .promoz ransomware is and that is the variants of the STOP/DJVU ransomware family, linked below:

After dropping the malicious files on the computers infected by it, the .promoz ransomware may also leave its extortionist message, called _readme.txt. It has the following note:

———————————————- ALL YOUR FILES ARE ENCRYPTED ———————————————–

Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
[redacted 43 alphanumeric chars]

After this version of STOP ransomware has already infected computers, it may also begin to generate mutexes and interfere with multiple different Windows system and DLL files. This is done in order for the .promoz ransomware to obtain rights as an administrator on the comrpomised computer. The virus may use those rights not only for the encryption, but to also create registry value strings with the following data in them:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The registry entries that are dropped there may have data pointing out to auto running the malicious files of .promoz ransomware each time you start Windows, so that the virus is able to re-encrypt any newly added files.

In addition to this, the ransomware virus may also run several commands as an administrator in Windows Command prompt in /quiet mode so that you do not even notice them. They may involve disabling Windows Recovery services and they may also result in the shadow volume copies of your computer being deleted. The commands may be among the ones listed below and they may be executed simultaneously via a Batch (.bat) script file:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.promoz Ransomware – Encryption of Files

Similar to other STOP/Djvu ransomware viruses, the .promoz variant also uses the same AES encryption method, which encrypts bytes of the targeted files and then generates a symmetric decryption key. The outcome of the encryption is that the following types of files on victimized computers can no longer be opened:

  • Documents.
  • Videos.
  • Images.
  • Archives.
  • Virtual Drive files.
  • Audio files.
  • Other files, belonging to often-used programs.

After encryption, the files are appended the .promoz file suffix and they start to look like the following:

Remove .promoz Files Virus and Try Restoring Your Data

If you want to remove the .promoz file ransomware, we would suggest that you make a backup copy of your encrypted files first, since such viruses are often very unpredictable and may contain CBC(cipher-block-chaining) mode, which may break your files if you try to change their file extension.

To remove the .promoz files virus, we would suggest that you follow the removal instructions that are underneath this article. They have been created with the main idea to assist you in removing this ransomware the way you prefer. If manual removal does not seem to have any effect, we would strongly suggest what most cyber-security experts advise – to download and un a scan of your PC, using an advanced anti-malware software. This particular tool will make sure that all of the .promoz malicious files are erased from your computer permanently and this tool will also protect your computer against any future infections too.

If you want to try and restore files, encrypted by the .promoz file ransowmare, we would also recommend that you try the alternative file recovery steps underneath. They may not come with a 100% guarantee to be able to restore all your files, but with their aid, you might be able to recover at least some encrypted files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share