Remove CryptoMix .lesli File Virus - How to, Technology and PC Security Forum |

Remove CryptoMix .lesli File Virus

This article is created with instructions to aid you to remove CryptoMix ransomware and try to restore .lesli encrypted files.

A ransomware virus, believed to be part of the CryptoMix malware family is believed to cause some infections and encrypt the files of the infected computers, asking ransom money in a text, named “INSTRUCTION RESTORE FILE.TXT”. In those instructions, the approximate sum of 0.5 to 1.5 BTC may be requested from the victims to pay to get a decryptor for the encoded files. In case you have become a victim of the .lesli virus, we advise you not to perform any payment or communication with the cyber-criminals and instead to focus on removing the malware and encrypting files encoded by this malware by yourself.

Threat Summary


.lesli CryptoMix

Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to an e-mail for contact. Changed file-extension has been used to .lesli.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by .lesli CryptoMix


Malware Removal Tool

User ExperienceJoin our forum to Discuss .lesli CryptoMix.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How .lesli CryptoMix Ransomware Infects

For it to cause a successful infection, the criminals behind CryptoMix .lesli threat might perform several different actions. One of those is to obfuscate a malicious code or file and disguise it as a legitimate file for the file to fool an inexperienced user into opening it. This is achievable via the usage of socially engineered phishing e-mails containing fraudulent information, like the victim’s need to check his bank account balance sheet, for example. Opening the attachment results in the activating of a malicious script without Windows Firewall or any other defensive software detecting it (in most cases). After this is done, the virus begins to drop malicious files with different names in several Windows folders that contain different names:

CryptoMix .lesli Ransomware – Post-Infection Activity

As soon as the malicious files are dropped on your computer by the .lesli Infection module, the malware may begin to encrypt files of the following file types:

→ .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt.

After the encryption process has been completed, the virus may add a file extension that contains an e-mail address and the .lesli suffix. Files encrypted by .lesli may appear like the following:

As soon as this has been completed, the .lesli virus may drop a .txt file, named “INSTRUCTION RESTORE FILE.TXT” that aims to notify the user of the situation and provide instructions on decrypting the files by paying a hefty ransom fee, which is highly inadvisable by malware researchers.

The .lesli Virus – Remove it and Try to Get the Files Back

To fully remove the ransomware from your computer, malware researchers strongly advise users to focus on using an advanced software for malware removal that will automatically take care of the threat. For this and more removal instructions, you may want to refer to the removal instructions below.

After having removed the .lesli CryptoMix variant, we have published several alternative methods in step “2. Restore files encrypted by .lesli CryptoMix” below, which aim to assist you in restoring at least some of the files. But, take into consideration backing up your files when you are performing this process because you may lose them forever by using some of the methods, like third-party decryptors, for example.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share