nryds 0 Report post Posted October 27, 2019 Hello, my computer was attacked by LETO ransomware a few days ago. I clicked a link from my e-mail (I thought it was from FedEx!) and suddenly my AVG detected a bunch of Trojan files entered the computer system. There was a fake Windows-update popped up (I ended it from the task manager before it reached 100%) and my computer also became disconnected from the available internet connection. AVG and Windows defender could detect the malicious threats, but they could not delete nor move those to quarantine. I checked all my files and they are all encrypted with .leto extension after that. I did data backup then reinstall the Windows and scanned my PC with AVG, Spyhunter, and Kaspersky. The PC was then declared clean by those three programs. My questions are: 1. By reinstalling Windows, does that mean I also remove and get rid of the virus/malware completely? 2. How do I decrypt the now-encrypted .leto files? I've read a bunch of articles from the internet and tried your DJVU Decryptor, but it was unable to decrypt the files with this error note >> Error: List that this enumerator is bound to has been modified. An enumerator can only be used if the list does not change. Error: Unable to decrypt file with ID: dR3CqxAcqVUrEckQXmOIcWGPygjWWxy6QFI5Ole6 Please help. I truly appreciate what you guys do here on Emsisoft. Thank you. Quote Share this post Link to post Share on other sites
Amigo-A 67 Report post Posted October 28, 2019 Quote .leto extension This is one of the new variants of STOP Ransomware. Try this tool, if the files are encrypted with an offline key, then there is a chance to decrypt some files. https://www.emsisoft.com/ransomware-decryption-tools/free-download https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Files encrypted with online keys (when the PC was connected to the Internet) will not be decrypted. Quote Share this post Link to post Share on other sites
nryds 0 Report post Posted October 28, 2019 Thanks @Amigo-A for your kind response. I have tried to use the same decryptor you linked to and the result was: Error: Unable to decrypt file with ID: dR3CqxAcqVUrEckQXmOIcWGPygjWWxy6QFI5Ole6 Does it mean that my files are encrypted with online keys so I have no chance to get my files back? Should I hang to these encrypted files, waiting until someone invented the tools that can decrypt my files? Or should I just start saving to pay the ransom? I certainly don't want to pay these criminals, but I also want to get all my files (or at least some of them) back. Please suggest what else needs to be done. Quote Share this post Link to post Share on other sites
Amigo-A 67 Report post Posted October 28, 2019 Definitely, we do not recommend paying a ransom... But if encryption was done using online keys, then there is no chance to decrypt files in the next millions of years without a private key. I can not say about the ID. This can only be said by the developer of the decryptor. Quote Share this post Link to post Share on other sites
GT500 672 Report post Posted October 29, 2019 21 hours ago, nryds said: Does it mean that my files are encrypted with online keys so I have no chance to get my files back? That's almost certainly the case. The vast majority of STOP/Djvu offline ID's end in t1 and I would believe that all new offline ID's are still following this pattern. Since your ID doesn't end in t1, that's a good indication that it's an online ID. Quote Share this post Link to post Share on other sites
Maria1 0 Report post Posted January 13 Hi, I have the same problem, most likely I have an online ID, since I got leto the same way as N. I have the same question, do I prepare to pay the criminals loosing my family, grandchildren’s photos for ever? Quote Share this post Link to post Share on other sites
GT500 672 Report post Posted January 14 7 hours ago, Maria1 said: I have the same question, do I prepare to pay the criminals loosing my family, grandchildren’s photos for ever? There aren't a lot of options right now for those with online ID's. You can make a backup of your encrypted files and hope that the private keys will be released and we can add them to our database, you can have a third-party (such as Coveware) try to negotiate a lower ransom price for you, or you can try to pay the ransom yourself. Regardless of what you choose to do, we recommend reporting ransomware infections to law enforcement so that they can properly prioritize them:https://www.nomoreransom.org/en/report-a-crime.html 1 Quote Share this post Link to post Share on other sites
Maria1 0 Report post Posted January 14 In case I have a new win10 installed, the system would not behave as an off line case? Momentarily, my data holders incl. otside winchester, cannot be handled, since it was annected by USB. When I get back all my data, will send a file. May be it can be solved Quote Share this post Link to post Share on other sites
GT500 672 Report post Posted January 15 18 hours ago, Maria1 said: In case I have a new win10 installed, the system would not behave as an off line case? Offline means the ransomware couldn't connect to its command and control servers when it encrypted your files. It doesn't have anything to do with the version of Windows that's installed. Quote Share this post Link to post Share on other sites
