Remove .MOLE Ransomware and Restore Files (July 2017)
THREAT REMOVAL

Remove .MOLE Ransomware and Restore Files (July 2017)

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by .MOLE virus and other threats.
Threats such as .MOLE virus may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

Article, designed to assist with the removal of .MOLE file ransomware and to show how to restore files encrypted by this virus.

Ransomware infection, using the .MOLE file extension has been detected in the middle of April 2017. The virus aims to encrypt the files on the computers compromised by it. Then, the ransomware infection leaves behind a ransom note in which it demands victims to pay a hefty ransom fee to restore encrypted files. The ransomware virus is believed by security analysts to be a part of the CryptoMix ransomware variants. In case you have become a victim of this ransomware infection, we advise reading the below-mentioned article carefully.

Threat Summary

Name.MOLE virus
TypeRansomware Virus
Short DescriptionAims to encrypt the files on compromised computers and after encryption, it will display a detailed ransom note with payment instructions on how to decrypt them..
SymptomsThe .MOLE virus will encrypt your files and then place the extension .MOLE on them.
Distribution MethodVia spam e-mails pretending to be legitimate service. They contain a malicious web link that leads to a phishing web page where the malicious file posing as a document is downloaded.
Detection Tool See If Your System Has Been Affected by .MOLE virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .MOLE virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update July 2017! New version of Mole ransomware has come out into the open, carrying the .MOLE02 file extension. You can learn more about it on the following web link.

How Does .MOLE Ransomware Infect

The infection process of the .MOLE virus is very particular, but also common. The ransomware infection uses multiple different deceptive e-mail templates that make it resemble a legitimate service, like USPS Ground mail, for example. Messages may trick victims into clicking on a suspicious URL:

After the victim in question clicks on the URL, he or she is redirected to a phishing Office365 website, which pretends to open a Microsoft Word document online. However, the result of this is that the Word document seems corrupt and displays a message “This document cannot be read in your browser”. And the phishing site wants the user to download the document in order to open it on his/her computer.

What the user actually downloads however is a dropper or other type of intermediary malware, which causes the infection with the .MOLE ransomware virus. Once the virus has been activated, it immediately connects via an unsecured port to a distribution site. From there, the malicious files of .MOLE ransomware are downloaded on the victim’s computer. They may be located in the following directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %SystemDrive%
  • %Windows%

After the malicious files are downloaded, the virus begins it’s malicious activity.

.MOLE Ransomware – Malicious Activity

The activity of .MOLE ransomware virus is composed of several malicious actions. It’s first step is to display a fake error message after the user opens the fraudulent Microsoft Word document, he believes is from USPS or other service. The fake error message is in the form of a Windows Error pop-up which has the following notification:

The pop-up box does not have any other button except “OK” and after it is clicked, the malware injects a prompt to launch a Windows command with an elevated privilege (as an administrator).

→ ”C:\Windows\SysWOW64\wbem\WMIC.exe” process call create “%UserProfile%\pluginoffice.exe”

After tis command is launched, the .MOLE file virus begins to stop process related to critical Windows defense features such as Defender and SmartScreen. The processes that are ended are the following:

wscsvc
WinDefend
wuauserv
BITS
ERSvc
WerSvc

After the processes are terminated, the virus may begin the encryption procedure.

.MOLE Ransomware Virus – Encryption Process

The encryption process of the .MOLE ransomware is conducted via two primary encryption algorithms – the RSA and AES ciphers. This combination results in two types of keys generated – an asymmetric key (AES cipher) and then public and private RSA keys to the encrypted files. The difficulty in decrypting such files is that unique keys are generated for each victim. These keys are then saved in the %Roaming% directory under a random name and the .MOLE extension after which the private ones are sent to the servers of the cyber-criminals who are behind .MOLE ransomware.

The file types which .MOLE ransomware is per-programmed to hunt for and encrypt if detects them are the following:

.doc, .xls, .pub, .odt, .ods, .odp, .odm, .odc, .odb, .wps, .xlk, .ppt, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .eps, .ai, .indd, .cdr, .jpg, .dng, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, .pem, .pfx, .p12, .p7b, .p7c

After the encryption process is complete, .MOLE ransomware may display it’s previously dropped ransom note, which is called “INSTRUCTION_FOR_HELPING_FILE_RECOVERY.txt” and has the following content:

Remove .MOLE Ransomware and Restore Your Files

For the removal process of this infection, security experts strongly advise users to backup their files, before they delete the virus.

Then, recommendations are to follow the instructions below and isolate .MOLE ransomware in Safe Mode if you are to remove it manually. If you lack the experience to remove it manually, however, recommendations are to use an advanced anti-malware tool which will automatically take care of the removal for you.

If your files have been encrypted by the ransomware virus, you can go ahead and try the alternative methods we have suggested in step “2. Restore files Encrypted by .MOLE virus” down below. They are designed so that you eventually restore at least some of your encrypted files, until a free decryptor is hopefully released.

Note! Your computer system may be affected by .MOLE virus and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as .MOLE virus.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove .MOLE virus follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove .MOLE virus files and objects
2. Find files created by .MOLE virus on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by .MOLE virus

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

4 Comments

  1. ELIN Tseng
    1. Garima Uttarakhand

      Yes it appears.. and directory %roaming% could be crucial to you as it is the folder where Private Key was saved before being send to hackers..

      since your system is already infected … play a gamble…

      backup all your data.. install network monitoring software like wireshark. save new files to your PC.. see if virus tries to decrypt them if it does then definitely it will send private key again.. through wireshark you can catch that private key I guess. Good luck

      Reply
      1. ELIN Tseng

        what kind of solutions to solve my file?

        Reply
  2. clara

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...