1 of 2
Danger level 6
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Scarab-Leen Ransomware

Scarab-Leen Ransomware may mark all your files with the .leen extension, for example, garden.jpg.leen, birthday_party.avi.leen, etc. Data that have it should be encrypted with a secure encryption algorithm, which means it should become useless. The bad news is if you have no backup copies the only other way to restore locked data is with a decryption tool and sadly, it is in the hands of the cybercriminals behind this malicious program. They expect their victims to pay ransoms to get such tools and decrypt their data, but we would strongly advise against it. No doubt, there is a chance the hackers might not deliver the promised tool even if you pay the demanded sum. As you see since you are asked to pay first, they can take the money they receive, and it does not matter if they deliver the promised decryptor or not. Therefore, if you do not want to risk being scammed, we encourage you to erase Scarab-Leen Ransomware instead. The instructions showing how to eliminate it manually will await you at the end of the article.

Malicious programs like Scarab-Leen Ransomware are often distributed via infected email attachments, software installers, pop-up advertisements, and so on. Meaning, to avoid such threats users have to be cautious when surfing the Internet and especially downloading any content from it. Always make sure the file you are downloading comes from a trustworthy source. Provided, you have any doubts about it, we would recommend scanning the file raising your suspicion with a reliable antimalware tool. Naturally, the content we would particularly suggest watching out would be attachments received with Spam emails, installers from torrent and other unreliable file-sharing websites alike, and so on.

Once the user launched the malware accidentally, it should create a few Registry entries with random names. For example, while we tested Scarab-Leen Ransomware, it created a value name called QORTsRmnNPmDwD in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run directory. This specific file may allow the threat launch itself automatically with every system restart. Thus, if the computer gets infected the data on it might be unsafe until the victim gets rid of the malware. Besides the described Registry entries, the malicious program could create a couple of executable files in the %APPDATA% directory. As well as, a particular image and a text document in the %USERPROFILE% folder, although these two files are should be dropped only after the malware finishes encrypting user’s data.

According to our specialists, Scarab-Leen Ransomware might target files like pictures, photos, archives, videos, etc. We believe it should be personal data created by the user as it is more likely to be irreplaceable to the victim. After they are all marked with the .leen extension, the malware might change user’s Desktop picture with an image carrying a specific message and open a text document containing a ransom note. The messages the user should see are supposed to say all of his files were encrypted and to decrypt them the victim needs to email the cybercriminals behind Scarab-Leen Ransomware and pay a ransom. The ransom note might even claim the data was encrypted “due to a security problem with your PC.” While this could be more or less true, users should not think it was legal to do so.

Another thing that caught our attention is the malicious program’s developers may say they can guarantee the files can be restored. To prove it they offer decrypting up to three small and useless files for free. Keep it in mind while this could show the hackers have the needed decryption tools, it does not guarantee they will be willing to share them with you. In other words, it is entirely possible you could end up being scammed, and if you do not want this, we would advise you not to put up with any demands. If you have no intention of paying the ransom, we recommend deleting Scarab-Leen Ransomware. It is possible to remove it manually, and you can learn how to do so if you follow the instructions available at the end of this text. In case it looks too challenging for you, it would be smarter to download a reliable antimalware tool and let it erase the threat for you.

Remove Scarab-Leen Ransomware

  1. Press Ctrl+Alt+Delete.
  2. Go to the Task Manager.
  3. Find the malware’s process.
  4. Mark this process and click End Task.
  5. Exit Task Manager.
  6. Tap Win+E.
  7. Navigate to:
    %TEMP%
    %USERPROFILE%\desktop
    %USERPROFILE%\downloads
  8. Check if you can see the malicious file downloaded before the computer got infected.
  9. Right-click the suspicious file and press Delete.
  10. Find this directory: %APPDATA%
  11. Look for suspicious executable files, for example, helper.exe and leen.exe.
  12. Right-click the malicious executable files and select Delete.
  13. Navigate to %USERPROFILE%
  14. Search for a document called HOW TO RECOVER ENCRYPTED FILES.TXT and a randomly named .bmp file.
  15. Right-click these files and press Delete.
  16. Close File Explorer.
  17. Press Win+R.
  18. Type Regedit and press OK.
  19. Find this location: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
  20. Look for a couple of value names with random titles and pointing to C:\Users\user\AppData\Roaming or C:\Users\user\INSTRUCTIONS FOR RESTORING FILES.TXT
  21. Right-click these value names and press Delete.
  22. Then go to: HKEY_CURRENT_USER\Software
  23. Look for a randomly named key belonging to this threat.
  24. Right-click it and choose Delete.
  25. Leave Registry Editor.
  26. Empty Recycle bin.
  27. Reboot the system.
Download Spyware Removal Tool to Remove* Scarab-Leen Ransomware
  • Quick & tested solution for Scarab-Leen Ransomware removal.
  • 100% Free Scan for Windows
disclaimer
Disclaimer

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.