nryds 0 Report post Posted October 27 Hello, my computer was attacked by LETO ransomware a few days ago. I clicked a link from my e-mail (I thought it was from FedEx!) and suddenly my AVG detected a bunch of Trojan files entered the computer system. There was a fake Windows-update popped up (I ended it from the task manager before it reached 100%) and my computer also became disconnected from the available internet connection. AVG and Windows defender could detect the malicious threats, but they could not delete nor move those to quarantine. I checked all my files and they are all encrypted with .leto extension after that. I did data backup then reinstall the Windows and scanned my PC with AVG, Spyhunter, and Kaspersky. The PC was then declared clean by those three programs. My questions are: 1. By reinstalling Windows, does that mean I also remove and get rid of the virus/malware completely? 2. How do I decrypt the now-encrypted .leto files? I've read a bunch of articles from the internet and tried your DJVU Decryptor, but it was unable to decrypt the files with this error note >> Error: List that this enumerator is bound to has been modified. An enumerator can only be used if the list does not change. Error: Unable to decrypt file with ID: dR3CqxAcqVUrEckQXmOIcWGPygjWWxy6QFI5Ole6 Please help. I truly appreciate what you guys do here on Emsisoft. Thank you. Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted October 28 Quote .leto extension This is one of the new variants of STOP Ransomware. Try this tool, if the files are encrypted with an offline key, then there is a chance to decrypt some files. https://www.emsisoft.com/ransomware-decryption-tools/free-download https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Files encrypted with online keys (when the PC was connected to the Internet) will not be decrypted. Quote Share this post Link to post Share on other sites
nryds 0 Report post Posted October 28 Thanks @Amigo-A for your kind response. I have tried to use the same decryptor you linked to and the result was: Error: Unable to decrypt file with ID: dR3CqxAcqVUrEckQXmOIcWGPygjWWxy6QFI5Ole6 Does it mean that my files are encrypted with online keys so I have no chance to get my files back? Should I hang to these encrypted files, waiting until someone invented the tools that can decrypt my files? Or should I just start saving to pay the ransom? I certainly don't want to pay these criminals, but I also want to get all my files (or at least some of them) back. Please suggest what else needs to be done. Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted October 28 Definitely, we do not recommend paying a ransom... But if encryption was done using online keys, then there is no chance to decrypt files in the next millions of years without a private key. I can not say about the ID. This can only be said by the developer of the decryptor. Quote Share this post Link to post Share on other sites
GT500 594 Report post Posted October 29 21 hours ago, nryds said: Does it mean that my files are encrypted with online keys so I have no chance to get my files back? That's almost certainly the case. The vast majority of STOP/Djvu offline ID's end in t1 and I would believe that all new offline ID's are still following this pattern. Since your ID doesn't end in t1, that's a good indication that it's an online ID. Quote Share this post Link to post Share on other sites
