• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Virus › .Leto file extension. How to remove virus. Restore .leto files.

.Leto file extension. How to remove virus. Restore .leto files.

Myantispyware team October 15, 2019     5 Comments    

Today, the security expert Michael Gillespie reported the first victims of the ransomware, which encrypts files on the victim’s computer, and then changes the file names, adding the ‘.Leto‘ extension.

Leto ransomware

Ransomware with extension “.leto” (v0172) spotted on ID Ransomware

This ransomware is a new version (v0172) of the long-known ransomware. Its previous versions were Bora, Reco, Noos and so on. Like its previous versions, there is currently no easy way to decrypt files. But do not lose hope. In this article we will tell you in detail about this virus, how to delete it, is it possible to decrypt files or restore them to a state before encryption.

What is Leto ransomware

Leto is the 172th version of the ransomware, which belongs to the STOP family. It arrives on the computer as a file dropped by other malware or adware already installed on the victim’s computer. Another way is when the ransomware arrives on the computer as a file downloaded by the user accidentally or unknowingly from malicious web sites. After the ransomware is launched, it creates a directory in the Windows OS system directory (%AppDataLocal%) and drops a copy of itself there using a randomized file name. Leto also creates another directory with the name ‘SystemID’, into which it drops a file called ‘PersonalID.txt’. This file contains a list of ids that define the key used to encrypt files on the computer.To start automatically every time the computer is turned on, the ransomware adds itself the Startup Registry key, creating a new key in the next section of the Windows registry.

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run

Next, the ransomware communicates with the control server to receive commands and transmit information about the infected computer. After that, the ransomware can download several more additional files. The ransomware does not encrypt files that have the extensions .sys, .bat, .dll, .lnk, .ini, _readme.txt or if they are located in some system directories, some of which are: %AppDataLocal%, %Application Data%, %Windows%, %Program Files%. All other user files will be encrypted using a strong encryption algorithm. The ransomware renames all encrypted files, adding the .leto extension at the end of their full name. For example, a file named document.doc, after it is encrypted, will receive the name document.doc.leto.

.leto extension

Files encrypted with .leto extension

In every directory where at least one file has been encrypted, the ransomware drops a new file with the name ‘_readme.txt’. This file is a message from Leto creators. The following is an example of such a message.

Leto ransom note

Leto ransom note

In this file, attackers report that they encrypted all user files. The only way to return the files is to pay them a ransom. Attackers indicate that the ransom is $980, and that the victim has the opportunity to pay half the ransom if he pays for it within 72 hours. In the last part of this file, the authors of the ransomware provide two email addresses that the victim must use to contact them. Only by writing an email letter to the attackers, the victim can get the address to which the ransom will need to be transferred. Most often, attackers use a bitcoin wallet to obtain a ransom.

Threat Summary

Name Leto ransomware
Type Crypto virus, Ransomware, Crypto malware, File locker, Filecoder
Encrypted files extension .leto
Ransom note _readme.txt
Contact gorentos@bitmessage.ch, gerentosrestore@firemail.cc
Ransom amount $980, $490 (if the victim pay the ransom within 72 hours)
Detection Names Ransom.Win32.STOP, W32/Kryptik (Fortinet), Trojan-Ransom.Win32.Stop (Kaspersky), Trojan.TR/Crypt (F-Secure)
Symptoms Unable to open photos, documents and music. Odd and new .leto file extension. Your file directories contain a ‘ransom note’ file that is usually the _readme.txt file.
Distribution ways Unsolicited emails that are used to deliver malicious software. Malicious downloads that happen without a user’s knowledge when they visit a compromised webpage. Social media posts (they can be used to entice users to download malicious software with a built-in ransomware downloader or click a misleading link). USB flash drive and other removable media.
Removal To remove Leto ransomware use the removal guide
Decryption To decrypt Leto ransomware use the steps

 
As we said above, Leto virus is already 172 in the same group of ransomware. To date, antivirus companies have not been able to develop a universal method that would help any victim to decrypt all files. This is bad news. But of course there is a good one. With the help of certain utilities, you can find all the files of the ransomware and completely delete it from the computer. And most importantly, there are a couple of ways that can help recover encrypted files. This will be discussed at the bottom of this article.

Quick links

  1. How to remove Leto ransomware
  2. How to decrypt .leto files
  3. How to restore .leto files
  4. How to protect your computer from Leto ransomware?

How to remove Leto ransomware

It is very difficult for an untrained user to manually find and remove Leto ransomware without using special utilities. Therefore, we recommend that everyone who is a victim of this ransomware use tools created to search for and remove malware. It is such programs that will help you quickly and easily detect all parts of the ransomware and safely remove them from your computer. Is it possible to use an antivirus to neutralize this virus? Of course, yes, but if the antivirus installed on your computer could not block the ransomware earlier, be sure to update your antivirus before scanning. However, we recommend that you use several different malware removal tools to ensure that Leto virus is completely removed!




Remove Leto ransomware virus with Zemana Anti Malware

The very first program we recommend using to find and remove this ransomware is Zemana Anti Malware. This program has a powerful engine, simple interface and fast scanner. Zemana will help to find the ransomware and block its further malicious actions. Importantly, all malware found can be removed completely free of charge.

Installing the Zemana Anti Malware is simple. First you will need to download Zemana AntiMalware from the following link. Save it to your Desktop so that you can access the file easily.

Zemana AntiMalware
Zemana AntiMalware
159469 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019

After the downloading process is done, close all programs and windows on your machine. Double-click the install file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown in the following example, click the “Yes” button.

Zemana uac

It will open the “Setup wizard” that will help you install Zemana Free on your PC. Follow the prompts and do not make any changes to default settings.

Zemana Anti-Malware (ZAM) Setup Wizard

Once setup is complete successfully, Zemana will automatically start and you can see its main screen as shown on the screen below.

Now click the “Scan” button for scanning your machine for the Leto crypto virus, other malicious software, worms and trojans. A system scan may take anywhere from 5 to 30 minutes, depending on your personal computer. While the tool is scanning, you can see number of objects and files has already scanned.

Zemana scan for Leto ransomware related folders,files and registry keys

Once Zemana Anti-Malware has finished scanning your system, Zemana Anti Malware will display a list of found items. All found threats will be marked. You can delete them all by simply click “Next” button. The Zemana AntiMalware will uninstall Leto ransomware and other security threats and move items to the program’s quarantine. Once that process is done, you may be prompted to restart the computer.

Use Hitman Pro to remove Leto ransomware virus

The next program that I want to draw your attention to is called Hitman Pro. It is just a fantastic utility that does not require installation on a computer. You just need to download and run it. Hitman Pro has a powerful scanner that allows it to detect and remove various types of malware, including ransomware, trojans, worms, browser hijackers, adware and so on.

  1. Visit the following page to download the latest version of HitmanPro for MS Windows. Save it directly to your Microsoft Windows Desktop.
    HitmanPro
    HitmanPro
    11261 downloads
    Author: Sophos
    Category: Security tools
    Update: June 28, 2018
  2. After the download is complete, start the Hitman Pro, double-click the HitmanPro.exe file.
  3. If the “User Account Control” prompts, click Yes to continue.
  4. In the HitmanPro window, click the “Next” . HitmanPro program will scan through the whole machine for Leto ransomware. While the Hitman Pro is scanning, you can see number of objects it has identified either as being malware.
  5. As the scanning ends, you’ll be shown the list of all found threats on your personal computer. Next, you need to click “Next”. Now, click the “Activate free license” button to begin the free 30 days trial to remove all malicious software found.

Remove Leto ransomware virus from computer with Kaspersky virus removal tool

Perhaps you have already heard about the powerful features of Kaspersky Anti-Virus. If not, then it’s time to get to know them. In the last step of removing the virus, we suggest that you scan your computer using a utility that is built on the core of this antivirus program. This utility is called Kaspersky virus removal tool (KVRT). In principle, KVRT is almost half of the antivirus program, there simply is no module that should protect your computer. If you have installed antivirus, then you do not need to uninstall it. This utility will perform a deep computer scan, find ransomware and allow you to remove it with a single click. And of course, you can remove malware for free.

Download Kaspersky virus removal tool (KVRT) from the following link.

Kaspersky virus removal tool
Kaspersky virus removal tool
123809 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018

Once the downloading process is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you will see the KVRT screen as shown on the screen below.

Kaspersky virus removal tool main window

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the Leto crypto virus and other malware. This task may take some time, so please be patient. While the Kaspersky virus removal tool utility is checking, you can see number of objects it has identified as being affected by malware.

Kaspersky virus removal tool scanning

After finished, the results are displayed in the scan report as on the image below.

Kaspersky virus removal tool scan report

Review the scan results and then click on Continue to start a cleaning process.

How to decrypt .leto files

The ‘.leto’ extension of your files is a sign that they are encrypted. At the beginning of this article, we reported that at the moment there is no way to decrypt these files. Although Leto is already a 172 version of the same ransomware, security experts could not create a decryptor. There is only one reason – the complexity of encryption. Antivirus companies also cannot help decrypt files, for the same reason. But it is not all that bad. There are two ways that can help you recover your files.

The first method that we will discuss now is the use of the so-called offline key. What is ‘offline key’? During the analysis of previous versions of this ransomware, security experts found that for each computer the ransomware uses a unique key. This key has been called the ‘online key’. In some cases, when the ransomware does not have access to the control server, the ransomware uses the same key for all computers to encrypt files. This is the key they called the ‘offline key’. This offline key has been discovered for almost all versions of this ransomware. This has helped many victims to decrypt all or part of the encrypted files. Leto offline key has not yet been detected, but based on previous experience, you just need to wait a while until it is found.

How to determine which key Leto used to encrypt your files. First of all, you can look at the personal ID that is given in the ‘_readme.txt’ file (ransom note). Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Leto stores the Personal IDs used for encryption.

.Leto personal id

Leto Personal ID is highlighted here

If there is an ID ending in ‘t1’, then you are lucky, your files are encrypted using an offline key, and when security experts find this key, you can decrypt your files. If your Personal ID does not end with ‘t1’, then the ransomware used an online key. Even so, there is little chance of recovering encrypted files. This method will be discussed in the next part of our article.

Update: good news! A few days ago a free decryptor was released. Below I provide a link where you will find detailed information on where to download it and how to use it to decrypt .leto files.

STOP Djvu Ransomware Decryptor – Free way to decrypt encrypted files

How to restore .leto files

Although it is impossible to decrypt .leto files, as we already said above, there is a way that will allow you to recover part, or maybe even all encrypted files. In the following instructions, we will show two different ways to recover encrypted files. Each of them uses a different mechanism, so you need to try both methods. If the first method did not help you, try the second. In addition, I want to remind you that before you start recovering files, be sure to check your computer for ransomware. You need to be 100% sure that Leto is completely removed.




Recover .leto files with ShadowExplorer

The easiest and often very effective way to recover encrypted files is to use a program called ShadowExplorer. It is a program that is small in size, easy to use, does not require installation on a computer, and is also free. ShadowExplorer uses the standard features of the Windows to access the so-called ‘Shadow Volume Copies’ that are created automatically by the OS. Unfortunately, most often the ransomware at the first start tries to delete all Shadow Copies. Accordingly, if these copies were deleted, then you will not be able to recover the encrypted files using ShadowExplorer.

Download ShadowExplorer by clicking on the link below.

ShadowExplorer
ShadowExplorer
418860 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019

When the downloading process is finished, extract the saved file to a folder on your PC. This will create the necessary files as shown below.

ShadowExplorer folder

Start the ShadowExplorerPortable program. Now choose the date (2) that you wish to recover from and the drive (1) you want to restore files (folders) from as displayed in the following example.

restore encrypted files with ShadowExplorer utility

On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and press the Export button as displayed on the screen below.

ShadowExplorer recover .leto files

And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.

Restore .leto files with PhotoRec

If for some reason you could not restore the files using ShadowExplorer, then there is another option. This is to use PhotoRec. PhotoRec is a small free program that is designed to search and recover lost and deleted data. Why this tool can help you. To answer it you need to know what the Windows OS does when the user deletes files. When a user deletes files, these files are not deleted from the disk and are not overwritten, they are simply marked as deleted and hidden from the user. PhotoRec finds such deleted files and restores access to them. This allows you to use this program to recover encrypted files.

Download PhotoRec by clicking on the link below.

PhotoRec
PhotoRec
208804 downloads
Author: CGSecurity
Category: Security tools
Update: March 1, 2018

When downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder similar to the one below.

testdisk photorec folder

Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen similar to the one below.

PhotoRec for windows

Choose a drive to recover similar to the one below.

photorec choose drive

You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as shown in the figure below.

photorec select partition

Press File Formats button and choose file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.

PhotoRec file formats

Next, click Browse button to select where recovered files should be written, then click Search.

photorec

Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.

When the restore is complete, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed on the image below.

PhotoRec - result of restore

All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your computer from Leto ransomware?

Once you read this part of the instruction, it means that your antivirus has not detected Leto ransomware or you do not have antivirus installed. Therefore, you need to think about changing the antivirus or installing it. But even a good antivirus cannot always identify and block the ransomware. We recommend that you use an additional program with the antivirus that is designed specifically to detect and block the ransomware. HitmanPro.Alert is a small security tool that can detect, remove, and reverse ransomware effects.

Visit the following page to download the latest version of HitmanPro Alert for MS Windows. Save it on your MS Windows desktop or in any other place.

HitmanPro.Alert
HitmanPro.Alert
6339 downloads
Author: Sophos
Category: Security tools
Update: March 6, 2019

When the download is finished, open the file location. You will see an icon like below.

HitmanPro.Alert file icon

Double click the HitmanPro.Alert desktop icon. When the utility is opened, you will be shown a window where you can select a level of protection, as shown on the screen below.

HitmanPro.Alert install

Now click the Install button to activate the protection.

Finish words

We hope that this instruction helped you find out all the necessary information about Leto and you were able to remove the ransomware, and, most importantly, restore or decrypt the encrypted files. If you have any questions, comments, or you have additional information, please write to us using the form below. Also, if your files were encrypted using an ‘offline id’, which will probably allow them to be decrypted, then subscribe to our Facebook channel or bookmark the page. As soon as an ‘offline id’ or other way to decrypt files appears, we will inform you about it.

 

Virus

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

5 Comments

  1. Anish Roy
    ― October 20, 2019 - 9:49 am  Reply

    my files encrypted with leto ransomware virus and as you wrote about the offline id my offline id ends with t1. can you say how to encrypt it.

    1. Myantispyware team
      ― October 21, 2019 - 2:53 am  Reply

      Try a new free STOP decryptor that was created by Emsisoft and Michael Gillespie. Read more here – Emsisoft STOP Djvu Ransomware Decryptor – Free way to decrypt encrypted files.

  2. Ray
    ― October 25, 2019 - 12:46 pm  Reply

    I have using “PhotoRec” to restore my photo, but the photo size and resolution has change to very small. why it been that? And how can i let it change to original size and resolution? please help me 🙁

  3. ck
    ― April 20, 2020 - 10:51 am  Reply

    all my files encrypted with leto ransomware virus and as you wrote about the offline id my offline id ends with k1. can you say how to encrypt it.

    1. Myantispyware team
      ― April 22, 2020 - 5:07 am  Reply

      If your id ends with ‘k1’, then it means that the files are encrypted with an online key, so you can not decrypt them.

Leave a Reply Cancel reply




New Guides

Walmart Order Shipped Email Scam
Walmart Order Shipped Email Scam: What You Need to Know
rowavy.shop Premier Wholesale Clearance Centre
Rowavy.shop Review: Is This Wholesale Clearance Centre a Scam
Tycx ransomnote
How to remove Tycx ransomware, Decrypt .Tycx files.
Tywd file virus
How to remove Tywd ransomware, Decrypt .Tywd files.
Grapeblink.com website
Grapeblink.com Review: Is it a Legit Online Store or a Scam?

Follow Us

Search

Useful Guides

DNSChanger
How to remove DNSChanger malware virus [Updated Apr. 2018]
adwcleaner
AdwCleaner – Review, How to use, Comments
This setting is enforced by your administrator (Removal guide)
Tech Support Scam
Remove Tech Support Scam pop-up virus [Microsoft & Apple Scam]
Files encrypted by ransomware become useless
How To Recover Encrypted Files (Ransomware file recovery)

Recent Posts

Ncedivisite.info
How to remove Ncedivisite.info pop-ups (Virus removal guide)
Trementrecially.pro
How to remove Trementrecially.pro pop-ups (Virus removal guide)
1DJakk2a9Z18NMRo4Z8TV6eWu1NvWP5UCW Bitcoin Email Scam
1DJakk2a9Z18NMRo4Z8TV6eWu1NvWP5UCW Bitcoin Email Scam
Will damage your computer. You should move it to the Trash.
How to remove Helpermcp pop-up from Mac (Virus removal guide)
Enjefiversityan.info
How to remove Enjefiversityan.info pop-ups (Virus removal guide)

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2023 MASW - Myantispyware.com.