.MOLE File Virus – Remove It and Restore Your Data

.MOLE File Virus – Remove It and Restore Your Data

This article will aid you to remove the .MOLE File Virus completely. Follow the ransomware removal instructions at the end of this article.

A new cryptovirus variant without pointing out its name in its ransom note is seen to encrypt people’s files with the .MOLE extension. Malware researchers believe that it is a variant of the CryptoMix ransomware. Distribution for it mainly happens via spam e-mails. Opening such an e-mail loads a MS Word document, which is fake and contains the payload. Once that payload is executed, your data will get encrypted and the virus will leave a ransom note with payment instructions. Continue to read below and see how you might try to potentially restore some of your file data.

Threat Summary

Name.MOLE File Virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware virus is believed to be a variant of CryptoMix. After encryption, it will display a detailed ransom note with payment instructions.
SymptomsThe ransomware will encrypt your files and then place the extension .MOLE on each encrypted file.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .MOLE File Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .MOLE File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.MOLE File Virus – Distribution Methods

The .MOLE file virus can distribute its infection through different methods. Currently, the main distribution method is via spam e-mails. That has been confirmed by malware researchers. Such an e-mail will pretend to be regarding some sort of a shipping notification and in most cases that a package has failed to be delivered. An example with the contents of a similar e-mail can be viewed from the screenshot down here:

As you can see above, a link will be present in the e-mail, stating that you can find further information about the case laid out inside the electronic letter. Clicking the link will trigger a redirect to a Web address portraying a fake Microsoft Word Document. You can see an example of that document below:

The document states that it is unreadable unless you install a plug-in that will “unlock” it. Pressing on the Download and install latest plugin version button will download the cryptovirus to your computer system and launch it.

The .MOLE file virus is also possible to distribute similar messages containing its payload file on social media and file-sharing services. Refrain from opening files right after you have downloaded them, especially if they come from suspicious sources such as links or e-mails as displayed above. Instead, you should scan them beforehand with a security tool. You should read the ransomware prevention tips written in our forum section.

.MOLE File Virus – In-Depth Analysis

The .MOLE file virus is dubbed like that due to the fact that it encrypts files while placing the .MOLE extension to them. Malware researchers claim that the ransomware is a variant of the CryptoMix ransomware virus.

After you have downloaded the ransomware from the fake MS Word document, the ransomware will display an error message:

The message states:

Display Color Calibration can’t turn off Windows calibration management.

Access is denied.

Then, when the “OK” button is pressed, the UAC (User Account Control) will launch asking you to give permission for the execution of the following command:

→”C:\Windows\SysWOW64\wbem\WMIC.exe” process call create “%UserProfile%\pluginoffice.exe”

Giving that permission will re-launch the ransomware with Administrative privileges, and your computer will be scanned so your files get encrypted.

The following processes will be stopped:

  • sc stop wscsvc
  • sc stop WinDefend
  • sc stop wuauserv
  • sc stop BITS
  • sc stop ERSvc
  • sc stop WerSvc

The ransom note will appear after the encryption process is finished. The note is written in English. Inside, you will see instructions with the demands for payment and how you might recover your files. The ransom note is inside a file called “INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt”.

That ransom note reads the following:

All your important files were encrypted on this computer.
You can verify this by click on see files an try open them.
Encryption was produced using unique public key RSA-1024 generated for this computer.
To decrypted files, you need to obtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet.
The server will destroy the key within 78 hours after encryption completed.
To retrieve the private key, you need to Contact us by email , send us an email your DECRYPT-ID-0ec69ed5-3c99-40f8-8544-0c7653dcd3e5 number
and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a single encrypted file and we will send you back it in a decrypted form.
Please do not waste your time! You have 72 hours only! After that The Main Server will double your price!
[email protected]
[email protected]

The ransom note of the .MOLE file virus should not be followed. You should NOT under any circumstances pay or contact the cybercriminals. Your files may not even be restored, and nobody could guarantee you that. Moreover, supporting criminals is not a good idea. The crooks may get motivated to do more criminal activities, like creating more ransomware viruses.

.MOLE File Virus – Encryption Process

.MOLE file virus has an interesting encryption process. The encryption algorithms which are used for the process are both RSA and AES. A unique hexadecimal ID is created for each victim. That ID will get sent to a C2 (Command and Control) server that will utilize an RSA-1024 public encryption key. Your files will first get encrypted by an AES key and then that key will get further encrypted with the RSA-1024 key sent over the C2 server.

The file “%UserProfile%\AppData\Roaming\26E14BA00B70A5D0AE4EBAD33D3416B0.MOLE” contains the public RSA key.

The contents of that file are the following:


Every file that gets encrypted will receive the same extension appended to each one of them, and that is the .MOLE extension. For instance Work.doc will look like SUD87S87S79DD8SF76SD7F8SD8F4F321.MOLE after encryption is done. Below you can see all file extensions that the .MOLE ransomware seeks to encrypt:

→.doc, .xls, .pub, .odt, .ods, .odp, .odm, .odc, .odb, .wps, .xlk, .ppt, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .eps, .ai, .indd, .cdr, .jpg, .dng, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, .pem, .pfx, .p12, .p7b, .p7c

Extension list Source: Symantec

The .MOLE file virus cryptovirus will delete the Shadow Volume Copies from the Windows operating system with issuing the following three commands:

→vssadmin.exe Delete Shadows /All /Quiet

→bcdedit /set {default} recoveryenabled No

→bcdedit /set {default} bootstatuspolicy ignoreallfailures

That also makes the encryption process more viable since it eliminates one of the ways for decrypting your data. Read on through and see what kind of ways you might try out to potentially recover some of your files.

Remove .MOLE File Virus and Restore Your Data

If your computer got infected with the .MOLE file virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computer systems. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share