Promorad2 ransomware is a decryptable variant of STOP virus that mainly targets Brazilian users

Promorad2 ransomware is a file locking malware that was first spotted in early March 2019 attacking mainly Brazilian users. This variant of STOP/Djvu ransomware is almost identical to its predecessor – .promorad file virus, which also uses AES encryption algorithm to lock up files and drops a ransom note _readme.txt to inform users about the infection and what should they do next. Allegedly, Promorad2 virus authors ask for $980 in Bitcoin for the file decryptor and also tell users to contact them via blower@india.com or blower@firemail.cc. However, this version of the file locker is decryptable so that victims can retrieve their data for free. Unfortunately, Promorad2 is known to distribute AZORult simultaneously,[1] so users who got infected are required to take extra steps in order to ensure the security of their personal information.
| SUMMARY | |
| Name | Promorad2 |
| Type | Ransomware |
| Family | STOP/Djvu |
| Infection means | Most likely cracked software installers, but can also spread via spam emails, fake updates, brute-force attacks, etc. |
| File extension | .promorad2 |
| Ransom note | _readme.txt |
| Contact | blower@india.com or blower@firemail.cc |
| Ransom size | $980 or $490 in BTC |
| Secondary payload | AZORult malware |
| Decryptable? | Yes, download decryptor [direct link] developed by Michael Gillespie |
| Virus removal | Use FortectIntego, SpyHunterCombo Cleaner, or other reputable security software |
Promorad2 ransomware is most likely using a variety of infection methods, including unprotected RDP connection, spam emails, exploits, fake updates, etc. However, users reported that they find their computer infected after downloading cracked or repacked software from torrent or similar file-sharing websites.[2]
As soon as Promorad2 virus is injected, it focuses on documents, pictures, videos, music, databases, spreadsheets, and other most commonly used files. After completing the scan, malware modifies each of the files by appending .promorad2 file extension, so that a picture.jpg is turned into picture.jpg.promorad2. From that point, users' access to all personal data on the device is restricted.
Promorad2 ransomware then produces a ransom note which states:
ATTENTION!
Don’t worry my friend, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-hK4tAv2Ed9
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” folder if you don’t get answer more than 6 hours.To get this software you need write on our e-mail:
blower@india.comReserve e-mail address to contact us:
blower@firemail.ccYour personal ID:
While hackers offer free test decryption and a 50% discount, you should not pay the ransom and never contact them. First of all, there is a high chance to decrypt files for free with the tool created by security experts. If that is not successful, you can also use third-party tools to recover your data. But first, you have to take care of Promorad2 ransomware removal.
To remove Promorad2 ransomware, you should employ reputable security software that can detect[3] the threat, such as FortectIntego or SpyHunterCombo Cleaner. In some cases, however, you might have to enter Safe Mode with Networking for that, as malware might interfere with the operation of the antivirus program.

Do not download pirated software or its cracks
Ransomware is often distributed via third-party websites that host repacked or cracked installers. Do not forget that downloading pirated software is illegal, and might result in hefty fines. Additionally, such domains often host malware that is disguised as one of the illegal applications. Therefore, the best would be staying away from such sites altogether.
Nevertheless, if you are still willing to risk it, we highly advise you scan every executable you download from file sharing sites with tools like Virus Total or reputable security software. The same goes for seemingly legitimate files or hyperlinks inside suspicious emails.
Finally, it is also very important to keep your operating system and installed applications updated with the newest security patches, as software vulnerabilities might allow bad actors to abuse exploit kits to inject malware without user interaction.
Another great solution is keeping backups for all your personal files. This will make the recovery procedure after the infection a much easier process, and you will also avoid losing your data permanently or paying ransom to cybercrooks.
Remove Promorad2 virus from your computer and avoid other cyber infections
As we already mentioned, Promorad2 virus is simultaneously distributed with AZORult data stealer. Therefore, if you noticed your files locked, you need to use a powerful security tool to terminate both threats. However, be aware that the functionality of malware might prevent Promorad2 ransomware removal. In such a case, enter Safe Mode with Networking as explained below and perform the procedure from there.
Once you remove Promorad2 ransomware, along with any secondary payloads that it might have implemented, you can then start a recovery procedure. You should firstly download decryptor developed by security experts and try it. If that does not work, make use of third-party applications, although this recovery method will rarely work to retrieve all your data.
Finally, due to the secondary payload, we recommend you change all your passwords and enable two-factor authentication on all your accounts (banking, social networks, communication programs, etc.). Additionally, you might want to check your banking history in case some illegal transactions were processed due to an information leak.
Was this guide helpful?
Be the first to comment