How to remove TomLe ransomware

TomLe ransomware is file-encrypting malware released by the Dharma malware family. It’s essentially identical to all other ransomware versions released by this family, and it adds the .TomLe extension to encrypted files.

 

The Dharma malware family has released countless ransomware over the last couple of years, and while they’re all very similar, you can identify which one you’re dealing with by the extension added to encrypted files. This ones adds .[TomLee240@aol.com].TomLe, which is why it’s known as TomLe ransomware. As you’ve likely already noticed, you will not be able to open encrypted files, unless you first run them through a decryptor. But at this time, the only people who have a working decryptor are the people behind this ransomware. Once it’s done encrypting files, a pop-up ransom note will appear. It explains that you can recover your files if you send an email to TomLee240@aol.com with your assigned ID. But getting the decryptor involves paying the ransom, as the cyber crooks operating this ransomware will not just give it to your for free. The decryptor price is not mentioned in the ransom note, however. Though it will likely be somewhere between a couple of hundred to a couple of thousand dollars, as that is the usual price. But when it comes to paying the ransomware, there’s a lot of risk involved.

Do not forget that you are dealing with cyber criminals who will not hesitate to create havoc just to make money. There’s nothing stopping them from simply taking your files and not sending a decryption tool, and they’re unlikely to feel any kind of obligation to help you. Furthermore, the more victims pay the ransom, the more common ransomware becomes, as those payments encourage them to continue their malicious activities.

If you have backup, file recovery should not be an issue, provided you first remove TomLe ransomware from the computer. If the ransomware is still present when you connect to your backup, the files in backup would become encrypted. And if that happens, file recovery would become impossible.

If you don’t have backup and no other option of recovering files, waiting for malware researchers to develop a free decryptor may be the only option. However, it may not be possible at this current moment because the decryption key necessary to work the decryptor is unique to each victim. Until those keys are released by the cyber crooks themselves or someone else, a decryptor that works for everyone will not be released. If one does get released, it would become available on NoMoreRansom.

How does ransomware infect a computer?

If you have bad browsing habits, you’re more likely to pickup some kind of infection, especially if you open unsolicited email attachments, pirate via torrents, click on ads when browsing high-risk websites, and fall for fake update notifications. If you develop better habits, you should be able to avoid a lot of malware.

If you pirate copyrighted content, you likely already know how easy it is to pick up ransomware or other kinds of malware. Torrent platforms are not very well regulated, which allows malicious actors to easily upload their malware disguised as torrents for popular movies, TV series, games and software. Pirating is not only essentially stealing content, it’s also potentially harmful for the computer.

But the most common way users pick up ransomware is via email attachments. The emails carrying malware are harmless as long as you don’t click on links or open attachments. Once you open a malicious attachment and enable macros, the ransomware will be permitted to initiate. Fortunately, unless someone is targeted specifically, malspam is usually quite obvious. Malicious emails will be sent from random-looking email addresses, contain loads of grammar and spelling mistakes, and put pressure to open the attachment. The attachments are usually disguised as invoices, receipts, and other important documents. We strongly recommend always scanning unsolicited email attachments with anti-virus software or VirusTotal.

Lastly, it’s very important to stress the importance of updates. Updates patch known system vulnerabilities, which if unpatched could be used by malware to get into the computer. Whenever possible, enable automatic updates to make sure your system is always up-to-date.

Encrypted files will have the .TomLe extension added

Once you initiate the ransomware, it will immediately start encrypting your files. It will mainly target your personal files, such as photos, videos, documents, etc. You will be able to tell which files have been encrypted because they will have .[TomLee240@aol.com].TomLe added to them. The extension will also contain your assigned ID. So an encrypted file would look something like this: text.txt.unique ID.[TomLee240@aol.com].TomLe.

As soon as file encryption is complete, two ransom notes will appear, one pop-up one, and one FILES ENCRYPTED.txt text one. Both contain contact email addresses for the cyber crooks operating this ransomware, but the pop-up one will contain more information. The pop-up note explains that your files have been encrypted and you can start file recovery by sending an email to tomlee240@aol.com or tomlee24@tuta.io with your ID. The note does not mention the decryption price, but like we said above, it will likely be somewhere between $100 and $1000.

Whether you pay the ransom or not is your decision but you should be aware of the risks. The main reason we don’t suggest paying the ransom is because you’re not guaranteed a decryptor. The cyber crooks behind this ransomware can choose to not send the decryptor, as there’s nothing stopping them from doing that.

If you don’t have backup, your only option may be to wait for a free decryptor to become available. Back up encrypted files and check NoMoreRansom on a regular basis. If you do have backup, you can start recovering files as soon as you remove TomLe ransomware from the computer.

How to delete TomLe ransomware

To correctly carry out TomLe ransomware removal, you need to use anti-virus software. If you try to remove TomLe ransomware manually, you could end up causing even more damage. Unfortunately, just because you get rid of the ransomware, does not mean files will become decrypted. A decryptor is necessary for that.