What is Lezp file extension
.Lezp file extension is a file extension that is used by the newest version of STOP (djvu) ransomware to mark files that have been encrypted. Ransomware is malware created by criminals that restricts access to the victim’s files by encrypting them and demands a ransom for a pair of key-decryptor, necessary for decrypting files. Files encrypted with .lezp extension become useless, their contents cannot be read without the key that the criminals have. Fortunately, there is a free Lezp File Decrypt Tool, which in some cases can decrypt .lezp files. It will be described in detail in this article.
What is Lezp ransomware
Lezp ransomware is the latest version of STOP ransomware, which was discovered by security researchers recently. This is already the 221 variant (v0221) of STOP ransomware. Like other variants, it encrypts all files on the computer and then demands a ransom for decryption. Lezp encrypts files using a strong encryption method, which eliminates the possibility of finding a key in any way. For each victim, it uses a unique key with a small exception. If the ransomware cannot establish a connection with its command and control server (C&C) before starting the encryption process, then it uses an offline key. This key is the same for different victims, which makes it possible in some cases to decrypt files that were encrypted during the ransomware attack.
Lezp ransomware has the ability to encrypt files of any type, regardless of what is in them. But it skips files with the extension: .ini, .dll, .lnk, .bat, .sys and files named ‘_readme.txt’. Thus, the following common file types can be easily encrypted:
.gho, .wav, .wdb, .map, .qic, .dxg, .wsc, .wp6, .itdb, .dazip, .sql, .iwi, .wmv, .xlsm, .wbc, .xlsm, .odp, .desc, .zi, .wsh, .mddata, .arch00, .mpqge, .ff, .3dm, .wpd, .xlk, .zabw, .lrf, .sum, .m4a, .p7c, .zip, .wpb, .wpd, .kf, .rw2, .fpk, .xml, .lvl, .docm, .odc, .jpg, .hkdb, .wpe, .orf, .wri, .pptx, .zdc, .ai, .dmp, .wotreplay, .xmind, .vdf, .cer, .rtf, .z, .xar, .zdb, .wsd, .pdd, .mov, .vpk, .bar, .zip, .slm, .big, .sidd, .tax, .zif, .apk, .y, .t12, .wmf, .x3d, .p7b, .r3d, .1, .fsh, .wbmp, .wp4, .dwg, .ptx, .pst, .wbk, .css, .gdb, .m2, .js, .w3x, .yml, .wp5, .x3f, .epk, .webp, .xld, .rofl, .itl, .ws, .webdoc, .xbdoc, .xx, .wp7, .dng, .sav, .ibank, .cas, .cdr, .mcmeta, .vcf, .psd, .indd, .p12, .mrwref, .raf, .bc7, .png, .1st, .bik, .flv, .forge, .lbf, .menu, .nrw, .itm, .xlsx, .mdf, .wpw, .wmo, .icxs, .pkpass, .erf, .eps, .dbf, .ods, .wps, .sie, .dcr, .ntl, .wpg, .7z, .odb, .mef, .wire, .bsa, .ysp, .litemod, .asset, .layout, .2bp, .snx, .raw, .wpt, .psk, .xbplate, .re4, .cr2, .rb, .0, .wdp, .ppt, .wma, .wbd, .rim, .xpm, .wmd, .pef, .csv, .wbm, .avi, .wcf, .x, .hplg, .mdbackup, .srf, .bay, .txt, .xlsx, .wgz, .kdb, .docx, .t13, .accdb, .xls, .xxx, .blob, .pptm, .wpl, .xf, .sr2, .x3f, .m3u, .wb2, .mp4, .rar, .wbz, .esm, .tor, .xyw, .pdf, .dba, .doc, .fos, .wot, .xy3, .rgss3a, .odt, .xlsb, .sidn, .ztmp, .z3d, .kdc, .xls, .svg, .bc6, .xlgc
Each file that has been encrypted will be renamed. This means the following. If a file was called ‘document.docx’, then after encryption, it will be named ‘document.docx.lezp’. Lezp ransomware can encrypt files located on all drives connected to the computer. Therefore, files located in network attached storage and external devices can also be encrypted. It encrypts file by file, when all the files in the directory are encrypted, it drops a new file in the directory, which is called ‘_readme.txt’. Below is the contents of this file.
All directories with encrypted files have this file. But the contents of this file are the same everywhere. This file contains a message from Lezp creators. In this message, the criminals report that all the files were encrypted and the only way to decrypt them is to buy a decryptor and key. Attackers demand a ransom of $490, if the victim does not pay the ransom within 72 hours, then the ransom will double to $980. Lezp authors left two email addresses that the victim must use to contact them. To confirm the possibility of decryption, criminals offer to decrypt one file that does not contain important information for free. But it’s obvious that there is no guarantee that even by paying the ransom, the victim will be able to decrypt all files that have been encrypted.
Threat Summary
Name | Lezp ransomware |
Type | File locker, Ransomware, Crypto malware, Filecoder, Crypto virus |
Encrypted files extension | .lezp |
Ransom note | _readme.txt |
Contact | helpmanager@mail.ch, helpdatarestore@firemail.cc |
Ransom amount | $490,$980 in Bitcoins |
Detection Names | Trojan.Ransom.Stop, Trojan/Win32.Wacatac, Ransom.Stop.MP4, Win32/Kryptik.HCUS, Trojan.MalPack.GS, Trojan:Win32/Occamy.C, Trojan-Ransom.Win32.Stop.mj, Trojan-Ransom.Win32.Stop.mj, Trojan.DownLoader33.34078 |
Symptoms | Cannot open files stored on the computer. You get an error message like ‘Windows can’t open this file’, ‘How do you want to open this file’. Files named like ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file.. Ransom demanding message on your desktop. |
Distribution methods | Spam mails that contain malicious links. Malicious downloads that happen without a user’s knowledge when they visit a compromised website. Social media, such as web-based instant messaging applications. USB stick and other removable media. |
Removal | Lezp ransomware removal guide |
Decryption | Lezp File Decrypt Tool |
Lezp authors claim that it is impossible to decrypt files that have been encrypted. Unfortunately, this is true. Security researchers confirm that a key and a decryptor are required to decrypt files. As we said above, in some cases, the Lezp ransomware encrypts files with an offline key that can be determined by security researchers. Files encrypted with this key can be decrypted using a free Lezp File Decrypt Tool. In all remaining cases, decryption is not yet possible. But there are several alternative ways that can allow everyone to recover the contents of encrypted files.
How to remove Lezp ransomware virus & Decrypt .lezp files
If your files were encrypted with Lezp ransomware virus, we recommend using the following steps, which will allow you to remove the ransomware and decrypt (restore) the encrypted files. Read this entire manual, then open it on your smartphone or print it. So it will be more convenient for you to carry out all the necessary actions.
- How to remove Lezp ransomware
- How to decrypt .lezp files
- How to restore .lezp files
- How to protect your machine from Lezp ransomware virus?
How to remove Lezp ransomware
It is not recommended to immediately start decrypting or restoring files, this will be your mistake. This way is wrong. The right way is to go step by step: scan your computer for ransomware, detect and remove Lezp ransomware, decrypt (recover) the encrypted files. To search for ransomware, we recommend using free malware removal tools. It is very important to use multiple malware removal tools to identify and remove Lezp. Each of the used tools should be based on a different anti-virus (anti-malware) engine. This is the only way to make sure that the ransomware was found and completely removed.
Use Zemana to remove Lezp ransomware
Zemana is a complete package of anti malware utilities that can help you remove Lezp ransomware. Despite so many features, it does not reduce the performance of your computer. Zemana can uninstall almost all the types of ransomware, trojans, worms, adware software, hijackers, potentially unwanted software and other malicious software. Zemana has real-time protection that can defeat most malware and ransomware virus. You can use Zemana Anti-malware with any other antivirus without any conflicts.
Click the link below to download Zemana Anti-Malware setup package named Zemana.AntiMalware.Setup on your machine. Save it on your Desktop.
164301 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Launch the setup file after it has been downloaded successfully and then follow the prompts to install this tool on your computer.
During installation you can change certain settings, but we recommend you do not make any changes to default settings.
When installation is finished, this malware removal utility will automatically run and update itself. You will see its main window as on the image below.
Now click the “Scan” button to perform a system scan with this utility for the Lezp ransomware related folders,files and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your machine and the speed of your PC. While the Zemana program is scanning, you can see number of objects it has identified as threat.
After the scanning is complete, Zemana will display a list of detected threats. Make sure all threats have ‘checkmark’ and press “Next” button.
The Zemana will remove Lezp ransomware, other kinds of potential threats like malware and trojans and move the selected threats to the Quarantine. After finished, you may be prompted to restart your computer to make the change take effect.
Use MalwareBytes AntiMalware to remove Lezp virus
We recommend using the MalwareBytes that are completely clean your computer of the Lezp crypto malware. This utility is an advanced malicious software removal program made by (c) Malwarebytes lab. This program uses the world’s most popular anti-malware technology. It is able to help you remove ransomware, potentially unwanted programs, malicious software, adware software, toolbars, and other security threats from your computer for free.
MalwareBytes can be downloaded from the following link. Save it to your Desktop.
326641 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once downloading is done, close all windows on your PC system. Further, launch the file named mb3-setup. If the “User Account Control” prompt pops up like below, click the “Yes” button.
It will display the “Setup wizard” that will help you install MalwareBytes Free on the PC. Follow the prompts and don’t make any changes to default settings.
Once installation is finished successfully, press Finish button. Then MalwareBytes Anti Malware will automatically launch and you may see its main window as shown in the figure below.
Next, press the “Scan Now” button for checking your PC system for the Lezp ransomware, other kinds of potential threats such as malware and trojans. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your PC. While the utility is checking, you can see number of objects and files has already scanned.
After MalwareBytes Free has completed scanning, a list of all items detected is prepared. Review the results once the utility has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Quarantine Selected” button.
The MalwareBytes Anti Malware will start to delete Lezp crypto malware and other security threats. After the procedure is done, you may be prompted to reboot your PC. We suggest you look at the following video, which completely explains the process of using the MalwareBytes Free to uninstall hijacker infections, adware and other malware.
If the problem with Lezp is still remained
Kaspersky virus removal tool (KVRT) is free and easy to use. It can detect and remove ransomware, spyware, PUPs, worms, trojans, adware and other malware. KVRT is powerful enough to find and uninstall malicious registry entries and files that are hidden on the system.
Download Kaspersky virus removal tool (KVRT) on your PC by clicking on the link below.
129146 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is done, double-click on the KVRT icon. Once initialization process is complete, you’ll see the KVRT screen as shown below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to detect Lezp crypto malware and other malware. When a threat is detected, the number of the security threats will change accordingly.
After the scan get finished, it will show the Scan Results as shown in the following example.
Once you’ve selected what you wish to delete from your personal computer click on Continue to start a cleaning task.
How to decrypt .lezp files
All files with the ‘.lezp’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. To decrypt .lezp files, you need a Lezp File Decrypt Tool. Fortunately, Emsisoft has created a free decryptor called STOP Djvu decryptor.
To decrypt .lezp files, use free Lezp File Decrypt Tool
- Download Lezp File Decrypt Tool from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
Lezp File Decrypt Tool is a free tool that allows everyone to decrypt .lezp files for free. At the moment, the decryptor can only decrypt files that have been encrypted with an offline key. Unfortunately, if the files were encrypted with an online key, then the free decryptor is completely useless. The online key is unique to each infected computer, and at the moment there is no way to find this key. Of course, criminals have this key, but we do not think that paying a ransom is a way to decrypt .lezp files. In the case when the files are encrypted with an online key, there is a chance to restore the encrypted files using alternative methods, which are described below.
How to find out which key was used to encrypt files
Since Lezp File Decrypt Tool only decrypts files encrypted with the offline key, each Lezp’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them. We recommend using the second method, as it is more accurate.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0221’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the Lezp ransomware used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, the Lezp ransomware used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
Lezp File Decypt Tool : No key for New Variant offline ID
If during decryption of .lezp files the Lezp File Decypt Tool reports No key for New Variant offline ID, then this means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data. It is impossible to say exactly when the ‘offline key’ will be determined. Sometimes it takes several days, sometimes more. We recommend that you try to decrypt .lezp files from time to time. You can also use alternative ways listed below for recovering encrypted data.
Lezp File Decypt Tool : No key for New Variant online ID
If, when you try to decrypt .lezp files, the Lezp File Decypt Tool reports No key for New Variant online ID, then this means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Lezp authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.
How to restore .lezp files
As we already said, Lezp File Decypt Tool can only decrypt files encrypted using the so called ‘offline key’. What to do when files were encrypted with an online key? Even in this case, everyone has a chance to recover the contents of encrypted files. This is possible due to the existence of several alternative ways to restore files. Each of these methods does not require a decryptor and a unique key, which is in the hands of criminals. The only thing we strongly recommend that you perform (if you have not already done so) is to perform a full scan of the computer. You must be 100% sure that Lezp virus has been removed. To find and remove ransomware, use the free malware removal tools.
Use ShadowExplorer to recover .lezp files
The Windows OS (10, 8, 7 , Vista) has one very useful feature, it makes copies of all files that have been modified or deleted. This is done so that the user can recover, if necessary, the previous version of accidentally deleted or damaged files. These copies of the files are called ‘Shadow copies’. One tool that can help you recover files from the Shadow copies is ShadowExplorer. It is very small tool and easy to use. Unfortunately, ransomware often delete Shadow copies, thus blocking this method of recovering encrypted files. Nevertheless, be sure to try this method.
Please go to the link below to download the latest version of ShadowExplorer for MS Windows. Save it directly to your Windows Desktop.
439028 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is finished, extract the saved file to a folder on your PC. This will create the necessary files like below.
Run the ShadowExplorerPortable program. Now select the date (2) that you want to recover from and the drive (1) you wish to restore files (folders) from similar to the one below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as on the image below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Recover .lezp files with PhotoRec
Another alternative way to recover encrypted files is to use data recovery tools. We recommend using a program called PhotoRec. This tool is free and does not require installation. Below we will show in detail how to use it to restore encrypted files.
Download PhotoRec from the link below. Save it to your Desktop.
When the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as displayed in the following example.
Choose a drive to recover as shown on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as displayed in the following example.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, click Browse button to choose where recovered files should be written, then press Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as shown below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your machine from Lezp ransomware virus
Most antivirus apps already have built-in protection system against the crypto malware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from MS Windows XP to Windows 10.
Download HitmanPro Alert on your system by clicking on the following link.
Once downloading is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the utility is started, you will be displayed a window where you can select a level of protection, as shown on the screen below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of Lezp ransomware virus. We tried to give answers to the following questions: how to remove Lezp ransomware; how to decrypt .lezp files; how to recover files, if the Lezp File Decypt Tool does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Lezp related issues, go to here.
I got virus of .lezp extension, Please help me to recovery the data. my ID is: 0221yiuduy6S5dLzVjbQi6EFKsp8DAswqDlRglIuIFAiPNpCknsX4V
Many thanks
The “0221yiuduy6S5dLzVjbQi6EFKsp8DAswqDlRglIuIFAiPNpCknsX4V” ID is related to an online key, so files cannot be decrypted. Try to restore the contents of encrypted files using the steps linked below: How to recover encrypted files.
Hi there
I had contacted to hacker to ask the recovery. and I send to them a file. The point is that they can recovery my file without my ID.
That leads me to a conclusion that the file can recovery by a software without personal ID. Am I right? Could you help me to find this software?
Probably an encrypted file contains information by which the ransomware authors will be able to determine your ID.
(0221yiuduy6S5dLzVjbQi6EFKsp8DAswqDlRglIuIFAiPNpCknsX4V)
I also had this problem
This is an online key for you
In the lezp virus you cannot recover lost files
ShadowExplorer and recovery software cannot recover the file
for Example
myPhoto.jpg after lezp virus = MyPhoto.Lezp
MyPhoto.Lezp Cannot be recovered with any software
The “0221yiuduy6S5dLzVjbQi6EFKsp8DAswqDlRglIuIFAiPNpCknsX4V” ID is related to an online key, so files cannot be decrypted. Try to restore the contents of encrypted files using the steps linked below: How to recover encrypted files.
Hi, could you advise please whether that’s possible to restore my files after my windows was reinstalled?
If the drive where the encrypted files were located was reformatted, then you probably will not be able to recover the files. Nevertheless, try PhotoRec.
The drive was reformatted, but before that, the encrypted files were coppied to an external drive and then transferred into the new Windows… PhotoRec didn’t help me 🙁
If files are encrypted with an online key, then they cannot be decrypted in any way.
i got this virus.. so sad.. i lost so many documents. can’t understand why people are so bad, made this kind of virus and then sell the decrypt tools..
i tried photorec but can decrypt image files only.. all pdfs and docs can’t be restored..
I tried restoring my computer system, still couldnt retrieve my files. I have a project I am working on and I cant really imagine starting again!
Has anyone paid them????
At this point, is it advisable to do so?
Don’t have the money but I’m almost losing my mind.
Can anyone help???