Today, the security expert Michael Gillespie reported the first victims of the ransomware, which encrypts files on the victim’s computer, and then changes the file names, adding the ‘.Leto‘ extension.
Ransomware with extension “.leto” (v0172) spotted on ID Ransomware
This ransomware is a new version (v0172) of the long-known ransomware. Its previous versions were Bora, Reco, Noos and so on. Like its previous versions, there is currently no easy way to decrypt files. But do not lose hope. In this article we will tell you in detail about this virus, how to delete it, is it possible to decrypt files or restore them to a state before encryption.
What is Leto ransomware
Leto is the 172th version of the ransomware, which belongs to the STOP family. It arrives on the computer as a file dropped by other malware or adware already installed on the victim’s computer. Another way is when the ransomware arrives on the computer as a file downloaded by the user accidentally or unknowingly from malicious web sites. After the ransomware is launched, it creates a directory in the Windows OS system directory (%AppDataLocal%) and drops a copy of itself there using a randomized file name. Leto also creates another directory with the name ‘SystemID’, into which it drops a file called ‘PersonalID.txt’. This file contains a list of ids that define the key used to encrypt files on the computer.To start automatically every time the computer is turned on, the ransomware adds itself the Startup Registry key, creating a new key in the next section of the Windows registry.
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Next, the ransomware communicates with the control server to receive commands and transmit information about the infected computer. After that, the ransomware can download several more additional files. The ransomware does not encrypt files that have the extensions .sys, .bat, .dll, .lnk, .ini, _readme.txt or if they are located in some system directories, some of which are: %AppDataLocal%, %Application Data%, %Windows%, %Program Files%. All other user files will be encrypted using a strong encryption algorithm. The ransomware renames all encrypted files, adding the .leto extension at the end of their full name. For example, a file named document.doc, after it is encrypted, will receive the name document.doc.leto.
Files encrypted with .leto extension
In every directory where at least one file has been encrypted, the ransomware drops a new file with the name ‘_readme.txt’. This file is a message from Leto creators. The following is an example of such a message.
Leto ransom note
In this file, attackers report that they encrypted all user files. The only way to return the files is to pay them a ransom. Attackers indicate that the ransom is $980, and that the victim has the opportunity to pay half the ransom if he pays for it within 72 hours. In the last part of this file, the authors of the ransomware provide two email addresses that the victim must use to contact them. Only by writing an email letter to the attackers, the victim can get the address to which the ransom will need to be transferred. Most often, attackers use a bitcoin wallet to obtain a ransom.
Threat Summary
| Name | Leto ransomware |
| Type | Crypto virus, Ransomware, Crypto malware, File locker, Filecoder |
| Encrypted files extension | .leto |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, gerentosrestore@firemail.cc |
| Ransom amount | $980, $490 (if the victim pay the ransom within 72 hours) |
| Detection Names | Ransom.Win32.STOP, W32/Kryptik (Fortinet), Trojan-Ransom.Win32.Stop (Kaspersky), Trojan.TR/Crypt (F-Secure) |
| Symptoms | Unable to open photos, documents and music. Odd and new .leto file extension. Your file directories contain a ‘ransom note’ file that is usually the _readme.txt file. |
| Distribution ways | Unsolicited emails that are used to deliver malicious software. Malicious downloads that happen without a user’s knowledge when they visit a compromised webpage. Social media posts (they can be used to entice users to download malicious software with a built-in ransomware downloader or click a misleading link). USB flash drive and other removable media. |
| Removal | To remove Leto ransomware use the removal guide |
| Decryption | To decrypt Leto ransomware use the steps |
As we said above, Leto virus is already 172 in the same group of ransomware. To date, antivirus companies have not been able to develop a universal method that would help any victim to decrypt all files. This is bad news. But of course there is a good one. With the help of certain utilities, you can find all the files of the ransomware and completely delete it from the computer. And most importantly, there are a couple of ways that can help recover encrypted files. This will be discussed at the bottom of this article.
Quick links
- How to remove Leto ransomware
- How to decrypt .leto files
- How to restore .leto files
- How to protect your computer from Leto ransomware?
How to remove Leto ransomware
It is very difficult for an untrained user to manually find and remove Leto ransomware without using special utilities. Therefore, we recommend that everyone who is a victim of this ransomware use tools created to search for and remove malware. It is such programs that will help you quickly and easily detect all parts of the ransomware and safely remove them from your computer. Is it possible to use an antivirus to neutralize this virus? Of course, yes, but if the antivirus installed on your computer could not block the ransomware earlier, be sure to update your antivirus before scanning. However, we recommend that you use several different malware removal tools to ensure that Leto virus is completely removed!
Remove Leto ransomware virus with Zemana Anti Malware
The very first program we recommend using to find and remove this ransomware is Zemana Anti Malware. This program has a powerful engine, simple interface and fast scanner. Zemana will help to find the ransomware and block its further malicious actions. Importantly, all malware found can be removed completely free of charge.
Installing the Zemana Anti Malware is simple. First you will need to download Zemana AntiMalware from the following link. Save it to your Desktop so that you can access the file easily.
164892 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the downloading process is done, close all programs and windows on your machine. Double-click the install file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown in the following example, click the “Yes” button.
It will open the “Setup wizard” that will help you install Zemana Free on your PC. Follow the prompts and do not make any changes to default settings.
Once setup is complete successfully, Zemana will automatically start and you can see its main screen as shown on the screen below.
Now click the “Scan” button for scanning your machine for the Leto crypto virus, other malicious software, worms and trojans. A system scan may take anywhere from 5 to 30 minutes, depending on your personal computer. While the tool is scanning, you can see number of objects and files has already scanned.
Once Zemana Anti-Malware has finished scanning your system, Zemana Anti Malware will display a list of found items. All found threats will be marked. You can delete them all by simply click “Next” button. The Zemana AntiMalware will uninstall Leto ransomware and other security threats and move items to the program’s quarantine. Once that process is done, you may be prompted to restart the computer.
Use Hitman Pro to remove Leto ransomware virus
The next program that I want to draw your attention to is called Hitman Pro. It is just a fantastic utility that does not require installation on a computer. You just need to download and run it. Hitman Pro has a powerful scanner that allows it to detect and remove various types of malware, including ransomware, trojans, worms, browser hijackers, adware and so on.
- Visit the following page to download the latest version of HitmanPro for MS Windows. Save it directly to your Microsoft Windows Desktop.
- After the download is complete, start the Hitman Pro, double-click the HitmanPro.exe file.
- If the “User Account Control” prompts, click Yes to continue.
- In the HitmanPro window, click the “Next” . HitmanPro program will scan through the whole machine for Leto ransomware. While the Hitman Pro is scanning, you can see number of objects it has identified either as being malware.
- As the scanning ends, you’ll be shown the list of all found threats on your personal computer. Next, you need to click “Next”. Now, click the “Activate free license” button to begin the free 30 days trial to remove all malicious software found.
Remove Leto ransomware virus from computer with Kaspersky virus removal tool
Perhaps you have already heard about the powerful features of Kaspersky Anti-Virus. If not, then it’s time to get to know them. In the last step of removing the virus, we suggest that you scan your computer using a utility that is built on the core of this antivirus program. This utility is called Kaspersky virus removal tool (KVRT). In principle, KVRT is almost half of the antivirus program, there simply is no module that should protect your computer. If you have installed antivirus, then you do not need to uninstall it. This utility will perform a deep computer scan, find ransomware and allow you to remove it with a single click. And of course, you can remove malware for free.
Download Kaspersky virus removal tool (KVRT) from the following link.
129256 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you will see the KVRT screen as shown on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the Leto crypto virus and other malware. This task may take some time, so please be patient. While the Kaspersky virus removal tool utility is checking, you can see number of objects it has identified as being affected by malware.
After finished, the results are displayed in the scan report as on the image below.
Review the scan results and then click on Continue to start a cleaning process.
How to decrypt .leto files
The ‘.leto’ extension of your files is a sign that they are encrypted. At the beginning of this article, we reported that at the moment there is no way to decrypt these files. Although Leto is already a 172 version of the same ransomware, security experts could not create a decryptor. There is only one reason – the complexity of encryption. Antivirus companies also cannot help decrypt files, for the same reason. But it is not all that bad. There are two ways that can help you recover your files.
The first method that we will discuss now is the use of the so-called offline key. What is ‘offline key’? During the analysis of previous versions of this ransomware, security experts found that for each computer the ransomware uses a unique key. This key has been called the ‘online key’. In some cases, when the ransomware does not have access to the control server, the ransomware uses the same key for all computers to encrypt files. This is the key they called the ‘offline key’. This offline key has been discovered for almost all versions of this ransomware. This has helped many victims to decrypt all or part of the encrypted files. Leto offline key has not yet been detected, but based on previous experience, you just need to wait a while until it is found.
How to determine which key Leto used to encrypt your files. First of all, you can look at the personal ID that is given in the ‘_readme.txt’ file (ransom note). Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Leto stores the Personal IDs used for encryption.
Leto Personal ID is highlighted here
If there is an ID ending in ‘t1’, then you are lucky, your files are encrypted using an offline key, and when security experts find this key, you can decrypt your files. If your Personal ID does not end with ‘t1’, then the ransomware used an online key. Even so, there is little chance of recovering encrypted files. This method will be discussed in the next part of our article.
Update: good news! A few days ago a free decryptor was released. Below I provide a link where you will find detailed information on where to download it and how to use it to decrypt .leto files.
STOP Djvu Ransomware Decryptor – Free way to decrypt encrypted files
How to restore .leto files
Although it is impossible to decrypt .leto files, as we already said above, there is a way that will allow you to recover part, or maybe even all encrypted files. In the following instructions, we will show two different ways to recover encrypted files. Each of them uses a different mechanism, so you need to try both methods. If the first method did not help you, try the second. In addition, I want to remind you that before you start recovering files, be sure to check your computer for ransomware. You need to be 100% sure that Leto is completely removed.
Recover .leto files with ShadowExplorer
The easiest and often very effective way to recover encrypted files is to use a program called ShadowExplorer. It is a program that is small in size, easy to use, does not require installation on a computer, and is also free. ShadowExplorer uses the standard features of the Windows to access the so-called ‘Shadow Volume Copies’ that are created automatically by the OS. Unfortunately, most often the ransomware at the first start tries to delete all Shadow Copies. Accordingly, if these copies were deleted, then you will not be able to recover the encrypted files using ShadowExplorer.
Download ShadowExplorer by clicking on the link below.
439541 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is finished, extract the saved file to a folder on your PC. This will create the necessary files as shown below.
Start the ShadowExplorerPortable program. Now choose the date (2) that you wish to recover from and the drive (1) you want to restore files (folders) from as displayed in the following example.
On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and press the Export button as displayed on the screen below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Restore .leto files with PhotoRec
If for some reason you could not restore the files using ShadowExplorer, then there is another option. This is to use PhotoRec. PhotoRec is a small free program that is designed to search and recover lost and deleted data. Why this tool can help you. To answer it you need to know what the Windows OS does when the user deletes files. When a user deletes files, these files are not deleted from the disk and are not overwritten, they are simply marked as deleted and hidden from the user. PhotoRec finds such deleted files and restores access to them. This allows you to use this program to recover encrypted files.
Download PhotoRec by clicking on the link below.
When downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder similar to the one below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen similar to the one below.
Choose a drive to recover similar to the one below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as shown in the figure below.
Press File Formats button and choose file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to select where recovered files should be written, then click Search.
Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed on the image below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from Leto ransomware?
Once you read this part of the instruction, it means that your antivirus has not detected Leto ransomware or you do not have antivirus installed. Therefore, you need to think about changing the antivirus or installing it. But even a good antivirus cannot always identify and block the ransomware. We recommend that you use an additional program with the antivirus that is designed specifically to detect and block the ransomware. HitmanPro.Alert is a small security tool that can detect, remove, and reverse ransomware effects.
Visit the following page to download the latest version of HitmanPro Alert for MS Windows. Save it on your MS Windows desktop or in any other place.
When the download is finished, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. When the utility is opened, you will be shown a window where you can select a level of protection, as shown on the screen below.
Now click the Install button to activate the protection.
Finish words
We hope that this instruction helped you find out all the necessary information about Leto and you were able to remove the ransomware, and, most importantly, restore or decrypt the encrypted files. If you have any questions, comments, or you have additional information, please write to us using the form below. Also, if your files were encrypted using an ‘offline id’, which will probably allow them to be decrypted, then subscribe to our Facebook channel or bookmark the page. As soon as an ‘offline id’ or other way to decrypt files appears, we will inform you about it.
my files encrypted with leto ransomware virus and as you wrote about the offline id my offline id ends with t1. can you say how to encrypt it.
Try a new free STOP decryptor that was created by Emsisoft and Michael Gillespie. Read more here – Emsisoft STOP Djvu Ransomware Decryptor – Free way to decrypt encrypted files.
I have using “PhotoRec” to restore my photo, but the photo size and resolution has change to very small. why it been that? And how can i let it change to original size and resolution? please help me 🙁
all my files encrypted with leto ransomware virus and as you wrote about the offline id my offline id ends with k1. can you say how to encrypt it.
If your id ends with ‘k1’, then it means that the files are encrypted with an online key, so you can not decrypt them.