nryds

Help, important files are encrypted by LETO

Recommended Posts

Hello, my computer was attacked by LETO ransomware a few days ago. I clicked a link from my e-mail (I thought it was from FedEx!) and suddenly my AVG detected a bunch of Trojan files entered the computer system. There was a fake Windows-update popped up (I ended it from the task manager before it reached 100%) and my computer also became disconnected from the available internet connection. AVG and Windows defender could detect the malicious threats, but they could not delete nor move those to quarantine. I checked all my files and they are all encrypted with .leto extension after that.

I did data backup then reinstall the Windows and scanned my PC with AVG, Spyhunter, and Kaspersky. The PC was then declared clean by those three programs. My questions are:

1. By reinstalling Windows, does that mean I also remove and get rid of the virus/malware completely?

2. How do I decrypt the now-encrypted .leto files? I've read a bunch of articles from the internet and tried your DJVU Decryptor, but it was unable to decrypt the files with this error note >>

Error: List that this enumerator is bound to has been modified. An enumerator can only be used if the list does not change.

Error: Unable to decrypt file with ID: dR3CqxAcqVUrEckQXmOIcWGPygjWWxy6QFI5Ole6

Please help. I truly appreciate what you guys do here on Emsisoft. Thank you.

Share this post


Link to post
Share on other sites
Quote

.leto extension

This is one of the new variants of STOP Ransomware

Try this tool,  if the files are encrypted with an offline key, then there is a chance to decrypt some files.

https://www.emsisoft.com/ransomware-decryption-tools/free-download 
 https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

Files encrypted with online keys (when the PC was connected to the Internet) will not be decrypted. 

Share this post


Link to post
Share on other sites

Thanks @Amigo-A for your kind response. I have tried to use the same decryptor you linked to and the result was:

Error: Unable to decrypt file with ID: dR3CqxAcqVUrEckQXmOIcWGPygjWWxy6QFI5Ole6

Does it mean that my files are encrypted with online keys so I have no chance to get my files back?

Should I hang to these encrypted files, waiting until someone invented the tools that can decrypt my files? Or should I just start saving to pay the ransom? I certainly don't want to pay these criminals, but I also want to get all my files (or at least some of them) back. Please suggest what else needs to be done.  

Share this post


Link to post
Share on other sites

Definitely, we do not recommend paying a ransom...
But if encryption was done using online keys, then there is no chance to decrypt files in the next millions of years without a private key.

I can not say about the ID. This can only be said by the developer of the decryptor.

Share this post


Link to post
Share on other sites
21 hours ago, nryds said:

Does it mean that my files are encrypted with online keys so I have no chance to get my files back?

That's almost certainly the case. The vast majority of STOP/Djvu offline ID's end in t1 and I would believe that all new offline ID's are still following this pattern. Since your ID doesn't end in t1, that's a good indication that it's an online ID.

Share this post


Link to post
Share on other sites

Hi, 

I have the same problem, most likely I have an online ID, since I got leto the same way as N.

I have the same question, do I prepare to pay the criminals loosing my family, grandchildren’s photos for ever?

Share this post


Link to post
Share on other sites
7 hours ago, Maria1 said:

I have the same question, do I prepare to pay the criminals loosing my family, grandchildren’s photos for ever?

There aren't a lot of options right now for those with online ID's. You can make a backup of your encrypted files and hope that the private keys will be released and we can add them to our database, you can have a third-party (such as Coveware) try to negotiate a lower ransom price for you, or you can try to pay the ransom yourself.

Regardless of what you choose to do, we recommend reporting ransomware infections to law enforcement so that they can properly prioritize them:
https://www.nomoreransom.org/en/report-a-crime.html

  • Confused 1

Share this post


Link to post
Share on other sites

In case I have a new win10 installed, the system would not behave as an off line case? Momentarily, my data holders incl. otside winchester, cannot be handled, since it was annected by USB. When I get back all my data, will send a file. May be it can be solved

Share this post


Link to post
Share on other sites
18 hours ago, Maria1 said:

In case I have a new win10 installed, the system would not behave as an off line case?

Offline means the ransomware couldn't connect to its command and control servers when it encrypted your files. It doesn't have anything to do with the version of Windows that's installed.

Share this post


Link to post
Share on other sites
On 10/27/2019 at 7:00 PM, nryds said:

Hello, my computer was attacked by LETO ransomware a few days ago. I clicked a link from my e-mail (I thought it was from FedEx!) and suddenly my AVG detected a bunch of Trojan files entered the computer system. There was a fake Windows-update popped up (I ended it from the task manager before it reached 100%) and my computer also became disconnected from the available internet connection. AVG and Windows defender could detect the malicious threats, but they could not delete nor move those to quarantine. I checked all my files and they are all encrypted with .leto extension after that.

I did data backup then reinstall the Windows and scanned my PC with AVG, Spyhunter, and Kaspersky. The PC was then declared clean by those three programs. My questions are:

1. By reinstalling Windows, does that mean I also remove and get rid of the virus/malware completely?

2. How do I decrypt the now-encrypted .leto files? I've read a bunch of articles from the internet and tried your DJVU Decryptor, but it was unable to decrypt the files with this error note >>

Error: List that this enumerator is bound to has been modified. An enumerator can only be used if the list does not change.

Error: Unable to decrypt file with ID: dR3CqxAcqVUrEckQXmOIcWGPygjWWxy6QFI5Ole6

Please help. I truly appreciate what you guys do here on Emsisoft. Thank you.

Your personal ID:
0172au5ewgSYfg72WGxDSfE5UYozZS8m53ACPw1HoVcOutOfAK10qWJV

_readme.txt

Share this post


Link to post
Share on other sites
18 hours ago, KomutanX said:

Your personal ID:
0172au5ewgSYfg72WGxDSfE5UYozZS8m53ACPw1HoVcOutOfAK10qWJV

This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link:
https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.