LETO ransomware virus seeks to take your files hostage for a ransom
Contents
LETO ransomware is the latest version of the STOP/DJVU virus (v0172). This crypto-malware variant seeks to infect computers or networks and encrypt all files using AES+RSA cryptography methods. During the encryption, ransomware marks files with .leto file extension and creates a ransom note called _readme.txt in every folder containing corrupted data. Cyber attackers demand a $490-$980 ransom in Bitcoins and suggest contacting them via [email protected] or [email protected].
Once installed, LETO virus executes series of commands via command prompt. This way, it disables the firewall, deletes Volume Shadow Copies and disables important Windows services for a smooth virus operation. It also installs Azorult-password-stealing Trojan on the infected machine. Then it starts encoding files to make them inaccessible for the victim.
At this point, you need to know that LETO ransomware virus can use either online or offline key to encrypt your data. If it uses the offline key, it inserts a personal ID ending with t1 in the ransom note (_readme.txt file). This means that you have chances to decrypt some of your files, so be patient until the experts create a Leto decryption tool. If your files were encrypted with the online key, your personal ID won’t end with t1, and at this moment there are no ways to decrypt your data.
The ransom note contains a threatening message
The ransom note created by the virus describes that important documents, databases, photos and other files were encrypted. The attackers have a private key which is required to decrypt .leto file extension files. However, the cyber attackers want the victim to pay for it, or, in other words, they try to extort the victim for a ransom by keeping one’s files hostage.
The attackers demand a hefty sum of money, which depends on how fast the victim reaches out to the criminals via provided emails. In case the victim pays up within 72 hours, the ransom price is $490 (50% discount). Otherwise, the price is $980. The ransom must be paid in Bitcoin for the sake of the attackers’ anonymity.
Full contents of the ransom note:
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
[removed link]
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]Your personal ID:
Ransomware developers’ message in the _readme.txt note
9e65hTlGeRsMht5pwDk4Ylm4RWx1y69zcacA5hSp3l60BnYmjql
282nhdu3n2sAJD7SH8JmYm298Wxkd34d3Bcf45Sp3l8f6nntjt1
This ransomware variant is essentially the same as previously released RECO, BORA, NOOS, BOOT OR KUUB variants. Based on the extension that it adds to encrypted files, this STOP/DJVU ransomware variant was called Leto file virus.
Keep in mind that it is not advisable to pay the cybercriminals – they seek to convince you to transfer money to them, but that doesn’t necessarily mean you will get the decryption software. Remember that cybercriminals are scammers, and they don’t really care about your welfare. Therefore, if you have been attacked by this virus, think about the data backups you have and remove Leto ransomware using a strong antivirus solution.
After removing the virus using the instructions provided at the end of this article, change all your passwords, especially those saved in your browser to prevent private data or financial loss due to Azorult Trojan activity.
Threat Summary
| Name | LETO ransomware virus |
| Type | Ransomware; Crypto-malware; File Locker |
| Encryption method | AES+RSA |
| Ransom note | _readme.txt |
| Ransom demand | $490-$980 |
| Decryption methods | Not possible |
| Distribution | Fake software updates, malicious emails, illegal software activators |
| Removal | Can be removed with antivirus or by reinstalling Windows |
Ransomware attack methods
To prevent future ransomware attacks, victims need to learn what methods malware developers use to spread ransomware. First of all, ransomware viruses typically need very little user interaction in order to execute.
Once run, it can bypass certain security solutions, so one of the main ransomware prevention methods is to AVOID clicking on something that contains malware. Leto (Stop/DJVU) malware developers are known to include the malicious executable in:
- Pirated software;
- Windows and Office activators (KMSPico and others);
- Adware bundles;
- Software cracks;
- Emails containing malicious attachments or links.
No matter how attentive you are while browsing online, develop a habit of creating regular data backups as it is normally the ONLY way to recover your files after a ransomware attack.
Best methods to remove LETO ransomware virus
The best way to remove LETO ransomware virus is to start your computer in a safe environment and eliminate existing threats with up-to-date antivirus software. You can use the antivirus you have or choose from free or paid options. Keep in mind that most security programs remove viruses for free, but if you want real-time protection, you need to get the antivirus subscription.
After LETO virus removal, concentrate on data recovery. If you didn’t have any backups, try to restore as many files as possible from sources such as Facebook messages, emails, USBs, Google Drive, and others. Finally, as mentioned earlier, if your personal ID starts with t1, you have a chance to recover some files in the future.
At the moment, there are no ways to decrypt files no matter if your files were encrypted with online or offline key. Please be patient and wait. In the meantime, backup encoded data. It is unknown how long it might take to extract the offline key for data recovery due to the complexity of the ransomware.
LETO ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in Safe Mode with Networking, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to start Windows in Safe Mode:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove LETO ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable antivirus program. Update and use the security program you already have or choose a new one. If you wish, you can check the security software reviews on our site.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%\system32\restore\rstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply