Jump to content

Help, important files are encrypted by LETO

nryds

By nryds,
in Help, my files are encrypted!

 Share Followers 1

Recommended Posts

nryds

nryds 0

Posted
Posted

Hello, my computer was attacked by LETO ransomware a few days ago. I clicked a link from my e-mail (I thought it was from FedEx!) and suddenly my AVG detected a bunch of Trojan files entered the computer system. There was a fake Windows-update popped up (I ended it from the task manager before it reached 100%) and my computer also became disconnected from the available internet connection. AVG and Windows defender could detect the malicious threats, but they could not delete nor move those to quarantine. I checked all my files and they are all encrypted with .leto extension after that.

I did data backup then reinstall the Windows and scanned my PC with AVG, Spyhunter, and Kaspersky. The PC was then declared clean by those three programs. My questions are:

1. By reinstalling Windows, does that mean I also remove and get rid of the virus/malware completely?

2. How do I decrypt the now-encrypted .leto files? I've read a bunch of articles from the internet and tried your DJVU Decryptor, but it was unable to decrypt the files with this error note >>

Error: List that this enumerator is bound to has been modified. An enumerator can only be used if the list does not change.

Error: Unable to decrypt file with ID: dR3CqxAcqVUrEckQXmOIcWGPygjWWxy6QFI5Ole6

Please help. I truly appreciate what you guys do here on Emsisoft. Thank you.

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted
Quote

.leto extension

This is one of the new variants of STOP Ransomware

Try this tool,  if the files are encrypted with an offline key, then there is a chance to decrypt some files.

https://www.emsisoft.com/ransomware-decryption-tools/free-download 
 https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

Files encrypted with online keys (when the PC was connected to the Internet) will not be decrypted. 

Link to post
Share on other sites
nryds

nryds 0

Posted
  • Author
Posted

Thanks @Amigo-A for your kind response. I have tried to use the same decryptor you linked to and the result was:

Error: Unable to decrypt file with ID: dR3CqxAcqVUrEckQXmOIcWGPygjWWxy6QFI5Ole6

Does it mean that my files are encrypted with online keys so I have no chance to get my files back?

Should I hang to these encrypted files, waiting until someone invented the tools that can decrypt my files? Or should I just start saving to pay the ransom? I certainly don't want to pay these criminals, but I also want to get all my files (or at least some of them) back. Please suggest what else needs to be done.  

Link to post
Share on other sites
Amigo-A

Amigo-A 136

Posted
Posted

Definitely, we do not recommend paying a ransom...
But if encryption was done using online keys, then there is no chance to decrypt files in the next millions of years without a private key.

I can not say about the ID. This can only be said by the developer of the decryptor.

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
21 hours ago, nryds said:

Does it mean that my files are encrypted with online keys so I have no chance to get my files back?

That's almost certainly the case. The vast majority of STOP/Djvu offline ID's end in t1 and I would believe that all new offline ID's are still following this pattern. Since your ID doesn't end in t1, that's a good indication that it's an online ID.

Link to post
Share on other sites
  • 2 months later...
GT500

GT500 853

Posted
Posted
7 hours ago, Maria1 said:

I have the same question, do I prepare to pay the criminals loosing my family, grandchildren’s photos for ever?

There aren't a lot of options right now for those with online ID's. You can make a backup of your encrypted files and hope that the private keys will be released and we can add them to our database, you can have a third-party (such as Coveware) try to negotiate a lower ransom price for you, or you can try to pay the ransom yourself.

Regardless of what you choose to do, we recommend reporting ransomware infections to law enforcement so that they can properly prioritize them:
https://www.nomoreransom.org/en/report-a-crime.html

  • Confused 1
Link to post
Share on other sites
Maria1

Maria1 0

Posted
Posted

In case I have a new win10 installed, the system would not behave as an off line case? Momentarily, my data holders incl. otside winchester, cannot be handled, since it was annected by USB. When I get back all my data, will send a file. May be it can be solved

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
18 hours ago, Maria1 said:

In case I have a new win10 installed, the system would not behave as an off line case?

Offline means the ransomware couldn't connect to its command and control servers when it encrypted your files. It doesn't have anything to do with the version of Windows that's installed.

Link to post
Share on other sites
  • 3 months later...
KomutanX

KomutanX 0

Posted
Posted
On 10/27/2019 at 7:00 PM, nryds said:

Hello, my computer was attacked by LETO ransomware a few days ago. I clicked a link from my e-mail (I thought it was from FedEx!) and suddenly my AVG detected a bunch of Trojan files entered the computer system. There was a fake Windows-update popped up (I ended it from the task manager before it reached 100%) and my computer also became disconnected from the available internet connection. AVG and Windows defender could detect the malicious threats, but they could not delete nor move those to quarantine. I checked all my files and they are all encrypted with .leto extension after that.

I did data backup then reinstall the Windows and scanned my PC with AVG, Spyhunter, and Kaspersky. The PC was then declared clean by those three programs. My questions are:

1. By reinstalling Windows, does that mean I also remove and get rid of the virus/malware completely?

2. How do I decrypt the now-encrypted .leto files? I've read a bunch of articles from the internet and tried your DJVU Decryptor, but it was unable to decrypt the files with this error note >>

Error: List that this enumerator is bound to has been modified. An enumerator can only be used if the list does not change.

Error: Unable to decrypt file with ID: dR3CqxAcqVUrEckQXmOIcWGPygjWWxy6QFI5Ole6

Please help. I truly appreciate what you guys do here on Emsisoft. Thank you.

Your personal ID:
0172au5ewgSYfg72WGxDSfE5UYozZS8m53ACPw1HoVcOutOfAK10qWJV

_readme.txt

Link to post
Share on other sites
GT500

GT500 853

Posted
Posted
18 hours ago, KomutanX said:

Your personal ID:
0172au5ewgSYfg72WGxDSfE5UYozZS8m53ACPw1HoVcOutOfAK10qWJV

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Followers 1
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 01/17/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...