Promock Ransomware

The Promock Ransomware Trojan is part of the STOP Ransomware family, a family of ransomware developed in 2018, which seems to be growing rapidly. The Promock Ransomware is just one of the latest variants in this expanding group of malware. The Promock Ransomware's intended targets are located in South America currently, with various victims of the Promock Ransomware showing up in Ecuador and Colombia.

How the Promock Ransomware Attacks a Computer

The Promock Ransomware carries out the typical encryption ransomware attack from the members of the STOP Ransomware family. The Promock Ransomware essentially takes victims' files hostage and then demands a ransom payment. The Promock Ransomware will, initially, be installed after the victim opening a corrupted file attached to an unsolicited email message. These files will generally contain corrupted scripts that download and install the Promock Ransomware onto the victim's computer. Once installed, the Promock Ransomware will scan the victim's computer for the user-generated files and use AES encryption or another strong encryption algorithm to encrypt their contents, making them inaccessible. The Promock Ransomware marks each file encrypted by the attack by adding the file extensions '.promock' or '.pomorad' to each compromised file. The Promock Ransomware targets the user-generated files, which may include files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The Promock Ransomware demands a ransom payment once the victim's files have been encrypted. To do this, the Promock Ransomware drops a text file named '_readme.txt,' which asks the victim to pay a large amount of money and contact the criminals via email. The victims of the Promock Ransomware attack are asked to pay the ransom using Bitcoin since digital currency affords the criminals anonymity to carry out these attacks. Malware researchers are against computer users to contact the criminals or carry out any ransom payment. Doing so allows the criminals to continue financing these attacks and will generally not result in the return of the affected files. In fact, interacting with the criminals in any way increases the chances that the victims of the Promock Ransomware will be targeted for additional infections or tactics.

Recovering from a Promock Ransomware Attack

Malware researchers advise that computer users to take steps to remove the Promock Ransomware with a security program that is fully up-to-date. Once the Promock Ransomware has been removed, the files encrypted by the Promock Ransomware can be restored from backup copies. Having file backups is the best way to ensure that you are protected from threats like the Promock Ransomware since it removes the criminals' leverage to ask for ransom payments and profit from these attacks.