LETO ransomware virus seeks to take your files hostage for a ransom
Contents
LETO ransomware is the latest version of the STOP/DJVU virus (v0172). This crypto-malware variant seeks to infect computers or networks and encrypt all files using AES+RSA cryptography methods. During the encryption, ransomware marks files with .leto file extension and creates a ransom note called _readme.txt in every folder containing corrupted data. Cyber attackers demand a $490-$980 ransom in Bitcoins and suggest contacting them via gorentos@bitmessage.ch or amundas@firemail.cc.
Once installed, LETO virus executes series of commands via command prompt. This way, it disables the firewall, deletes Volume Shadow Copies and disables important Windows services for a smooth virus operation. It also installs Azorult-password-stealing Trojan on the infected machine. Then it starts encoding files to make them inaccessible for the victim.
At this point, you need to know that LETO ransomware virus can use either online or offline key to encrypt your data. If it uses the offline key, it inserts a personal ID ending with t1 in the ransom note (_readme.txt file). This means that you have chances to decrypt some of your files, so be patient until the experts create a Leto decryption tool. If your files were encrypted with the online key, your personal ID won’t end with t1, and at this moment there are no ways to decrypt your data.
The ransom note contains a threatening message
The ransom note created by the virus describes that important documents, databases, photos and other files were encrypted. The attackers have a private key which is required to decrypt .leto file extension files. However, the cyber attackers want the victim to pay for it, or, in other words, they try to extort the victim for a ransom by keeping one’s files hostage.
The attackers demand a hefty sum of money, which depends on how fast the victim reaches out to the criminals via provided emails. In case the victim pays up within 72 hours, the ransom price is $490 (50% discount). Otherwise, the price is $980. The ransom must be paid in Bitcoin for the sake of the attackers’ anonymity.
Full contents of the ransom note:
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
[removed link]
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.To get this software you need write on our e-mail:
gorentos@bitmessage.ch
Reserve e-mail address to contact us:
amundas@firemail.ccYour personal ID:
Ransomware developers’ message in the _readme.txt note
9e65hTlGeRsMht5pwDk4Ylm4RWx1y69zcacA5hSp3l60BnYmjql
282nhdu3n2sAJD7SH8JmYm298Wxkd34d3Bcf45Sp3l8f6nntjt1
This ransomware variant is essentially the same as previously released RECO, BORA, NOOS, BOOT OR KUUB variants. Based on the extension that it adds to encrypted files, this STOP/DJVU ransomware variant was called Leto file virus.
Keep in mind that it is not advisable to pay the cybercriminals – they seek to convince you to transfer money to them, but that doesn’t necessarily mean you will get the decryption software. Remember that cybercriminals are scammers, and they don’t really care about your welfare. Therefore, if you have been attacked by this virus, think about the data backups you have and remove Leto ransomware using a strong antivirus solution.
After removing the virus using the instructions provided at the end of this article, change all your passwords, especially those saved in your browser to prevent private data or financial loss due to Azorult Trojan activity.
Threat Summary
| Name | LETO ransomware virus |
| Type | Ransomware; Crypto-malware; File Locker |
| Encryption method | AES+RSA |
| Ransom note | _readme.txt |
| Ransom demand | $490-$980 |
| Decryption methods | Not possible |
| Distribution | Fake software updates, malicious emails, illegal software activators |
| Removal | Can be removed with antivirus or by reinstalling Windows |
Ransomware attack methods
To prevent future ransomware attacks, victims need to learn what methods malware developers use to spread ransomware. First of all, ransomware viruses typically need very little user interaction in order to execute.
Once run, it can bypass certain security solutions, so one of the main ransomware prevention methods is to AVOID clicking on something that contains malware. Leto (Stop/DJVU) malware developers are known to include the malicious executable in:
- Pirated software;
- Windows and Office activators (KMSPico and others);
- Adware bundles;
- Software cracks;
- Emails containing malicious attachments or links.
No matter how attentive you are while browsing online, develop a habit of creating regular data backups as it is normally the ONLY way to recover your files after a ransomware attack.
Best methods to remove LETO ransomware virus
The best way to remove LETO ransomware virus is to start your computer in a safe environment and eliminate existing threats with up-to-date antivirus software. You can use the antivirus you have or choose from free or paid options. Keep in mind that most security programs remove viruses for free, but if you want real-time protection, you need to get the antivirus subscription.
After LETO virus removal, concentrate on data recovery. If you didn’t have any backups, try to restore as many files as possible from sources such as Facebook messages, emails, USBs, Google Drive, and others. Finally, as mentioned earlier, if your personal ID starts with t1, you have a chance to recover some files in the future.
At the moment, there are no ways to decrypt files no matter if your files were encrypted with online or offline key. Please be patient and wait. In the meantime, backup encoded data. It is unknown how long it might take to extract the offline key for data recovery due to the complexity of the ransomware.
OUR GEEKS RECOMMEND
Our team recommends removing malware using a professional antivirus software and then using the following tool to repair virus damage to Windows system files:
REPAIR VIRUS DAMAGE TO YOUR COMPUTER
RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.
RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.
Read full review here.
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
LETO ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove LETO ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply