.leen Files Virus (Scarab) – How to Remove It and Decrypt Files for Free

.leen Files Virus (Scarab) – How to Remove It and Decrypt Files for Free

This article has been created in order to help explain what is the .leen files virus and how to remove it from your computer plus how you can restore the files encrypted by this variant for free.

Yet another variant of the Scarab ransomware virus has come out in the wild, infecting the computers of victims. The ransomware adds the .leen file extension to the encrypted files after which leaves behind a file, called “INSTRUCTIONS FOR RESTORING FILES.TXT”. This ultimately results in the malware extorting the victim to pay a huge ransom in BitCoin or in the form of other cryptocurrencies. However, if the developers of this malware have not changed anything specific within it, it is important to note that this ransomware still remains to be decryptable. If you want to remove the .leen files virus and restore your files for free, we advise that you read this article to learn how to remove it and decrypt your encrypted files.

Threat Summary

Name.leen Files Virus
TypeRansomware, Cryptovirus
Short DescriptionScarab Ransomware variant. Aims to encrypt files on victims’ computers and then ask for ransom payment to decrypt them.
SymptomsThe files are encrypted with the added .leen file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .leen Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .leen Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.leen Files Virus – Distribution Methods

In order to be successfully widespread on users’ comptuers, the .leen files virus aims to perform various different types of activities on the user’s computer, whose main goal is to get the user to be tricked into either opening a malicious e-mail attachment or performing other activities which may ultimately lead to the successful infection of users. The most often distributed of those methods is to use malicious spam e-mails to replicate the virus files onto the computers of users. Such spam e-mails may appear in proximity to what the suspicious e-mail underneath appears like:

In addition to spam e-mails the malware may also come via more passive methods, such as being uploaded as a file or program that pretends to be a legitimate type of:

  • Software setup.
  • Patch or software crack.
  • Online license activator.

Scarab Ransomware – Activity

When an infection with the Scarab ransomware virus takes place, the unthinkable methods become reality. The initial stage of activity of this ransomware virus on your PC is to prepare your computer for file encryption that is unobstructed by any defense. The virus may connect to it’s command and control server belonging to the cyber-criminals and then it may relay different system information from the infected PC plus uniquely identify it via using functions within the malicious executable itself. The malicious files of Scarab Ransomware are randomly named .exe type of files and they may be located on one of the following Windows Directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %SystemDrive%

In addition to the files dropped, the .leen Scarab virus variant may also drop other types of files on the user’s computer, among which is the ransom note of the virus, called “INSTRUCTIONS FOR RESTORING FILES.TXT”. These instructions are the following:

Your files are now encrypted!

Your personal identifier:

All your files have been encrypted due to a security problem with your PC.

Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: [email protected]

Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).

How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
‘Buy bitcoins’, and select the seller by payment method and price:
* Also you can find other places to buy Bitcoins and beginners guide here:

* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price
(they add their fee to our) or you can become a victim of a scam.

According to them, the victim should buy BitCoins on p2p markets after which pay a ransom that is dependable on the hacker, calling himeslf “Mr.Leen”. Thankfully, this variant of Scarab is likely decryptable.

.leen Files Virus – Encryption Process

For the encryption process, similar to other variants of Scarab(https://sensorstechforum.com/scarab-ransomware-remove-restore-encrypted-files/) ransomware, this infecton scans for the following types of files to encrypt them:

  • Videos.
  • Documents.
  • Audio files.
  • Images.
  • Archives.

The malware encrypts files, based on their file extensions, and those are likely in a pre-set list and often used types of files, like the following:


After encryption, the files assume the .leen file extension added to them and begin to appear like the following image shows:

Remove .leen Files Virus and Restore Encrypted Data

In order to delete the .leen files ransomware it is strongly recommended that you follow the removal instructions underneath and understand how you can remove this ransomware infection completely from your computer. If manual removal represents a difficulty for you, we advise that you remove this ransomware virus automatically, preferably by helping you follow the removal instructions underneath this article. If manual removal instructions cannot help you to remove this virus, we strongly recommend that you download an advanced anti-malware software. It aims to help you by explaining to you how you can remove this virus automatically and according to security researchers such tool can automatically scan your computer for malware and remove it by detecting and deleting the malicious objects associated with it.

If you want to restore files, encrypted by this ransomware, you can follow the file recovery instructions underneath. They may not be 100% effective to recover all your files, but with some luck, you may restore more than half of them.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share