PROM Ransomware

The PROM Ransomware is a file-locking Trojan that blocks the user's files by encrypting them and processes ransoms for their recovery through a TOR website. Users can recognize infections easily by the extensions that the Trojan places on the files' names. Most anti-malware products should contain or delete the PROM Ransomware, although they don't replace backups for recovering any files.

A Software Prometheus Bringing Fire that Burns Files

In Greek folklore, the image of Prometheus granting fire to humanity is a tragic boon, but a Trojan is recycling it for more threatening purposes, ironically. The PROM Ransomware is taking Windows users' files hostage by encrypting them, much like Hidden Tear or the many spin-offs of Ransomware-as-a-Service families. The threat actors are investing some resources into its campaign with Web development, and malware experts also catch some more challenging features in the PROM Ransomware's payload.

The PROM Ransomware is a .NET Framework Trojan that uses an encryption routine of an unknown algorithm combination for locking files. To this end, it may stop pictures, documents, and other susceptible formats from opening and adds its extension (consisting of its name and a bracketed e-mail afterward) for denoting them visually. Before doing so, though, it includes an additional background attack.

The PROM Ransomware terminates software related to backup protection and security solutions, such as the popular McAfee suite and even Raccine (a freeware 'Ransomware Vaccine'). The latter is rare among file-locker Trojans relatively, although malware experts can point out the same behavior in the Milleni5000 Ransomware. However, this shared characteristic isn't enough for determining whether there's any genealogical relationship between the two Trojans.

Besides having sabotaged files, users can notice infections through the PROM Ransomware's ransom notes: two identical TXT and HTA pop-up messages. The attackers are promoting an anonymous TOR website for all deals for data recovery and offer a third-party, temporary data-uploading site for a demonstration. Users should remember when receiving any files from attackers that they may not be downloading the file that the threat actor claims.

Putting Greek Myths Back in the Past

The PROM Ransomware hides its executable file by imitating Svchost, a normal part of Windows. However, this disguise isn't likely pertinent to its installation scams or other exploits. Users should check their passwords for vulnerabilities, update software with all available security patches, and avoid downloads that might harm their computers. The latter can include e-mail attachments, especially ones with macros or advanced content, and piracy-related files such as game cracks.

Users also should have backups of their files in other locations. Without a non-local backup, any PC's data is at risk to file-locker Trojans, which tend to delete what they don't encrypt. The comprehensiveness of the PROM Ransomware's anti-security features also implies that the attackers won't miss 'obvious' recovery solutions like the Restore Points.

Windows users also should have reputable security products for blocking threats like the PROM Ransomware during the infection stages. If an attack occurs, users should consider restarting in Safe Mode and running their anti-malware scanner of choice for finding and removing the PROM Ransomware.

The PROM Ransomware is a powerful blast of heat that may take some Windows users unawares. Backing up files isn't for the paranoid, but only for those who want to avoid getting burned by all-too-common Trojans.