MOLE Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 522 |
First Seen: | April 13, 2017 |
Last Seen: | February 29, 2024 |
OS(es) Affected: | Windows |
The MOLE Ransomware is a ransomware Trojan that has been associated with a recent spam email campaign. The MOLE Ransomware belongs to the CryptoMix family of ransomware. The MOLE Ransomware may be delivered to the victim in email messages that pretend to be shipping notifications, claiming that a package couldn't be delivered and including a link for 'additional information.' The link allows the MOLE Ransomware to be installed on the victim's computer. When the victim is asked to install a Microsoft Word Online plug-in, it is the MOLE Ransomware.
Table of Contents
How the MOLE Ransomware may be Installed on the Victim’s Computer
While the MOLE Ransomware is being installed, its installer will display a bogus alert designed to trick the victim into skipping a User Account Control prompt. The message displayed reads as follows:
'Display Color Calibration can't turn off Windows calibration management.
Access is denied'
When the computer user presses the OK button in this message, the MOLE Ransomware will be executed since it will display a User Account Control prompt that allows the executable file to be executed. This gives the MOLE Ransomware administrative privileges, allowing it to encrypt the victim's files. The MOLE Ransomware uses a combination of the AES and RSA encryption to encrypt the victim's data and make the files inaccessible completely. Before carrying out its attack, the MOLE Ransomware will attempt to stop security processes on the infected computer by issuing the following commands:
- sc stop wscsvc
- sc stop WinDefend
- sc stop wuauserv
- sc stop BITS
- sc stop ERSvc
- sc stop WerSv
The MOLE Ransomware will then stop the Windows recovery and delete the Shadow Volume Copies, preventing computer users from recovering their files using alternate methods. Once this is done, the MOLE Ransomware will carry out its main attack, scanning the victim's computer and encrypting the victim's file. The MOLE Ransomware encrypts the victim's files and renames them with a 32 hex character name and the file extension '.MOLE.'
How the MOLE Ransomware may Extract a Ransom from the Victim
The MOLE Ransomware creates text files in each folder where it encrypts content. These files are named 'INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT' and contain the following text:
'All your important files were encrypted on this computer.
You can verify this by click on see files an try open them.
Encryption was produced using unique public key RSA-1024 generated for this computer.
To decrypted files, you need to obtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet.
The server will destroy the key within 78 hours after encryption completed.
To retrieve the private key, you need to Contact us by email , send us an email your DECRYPT-ID-11111111-1111-1111-1111-111111111111 number
and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form.
Please do not waste your time! You have 72 hours only! After that The Main Server will double your price!'
Unfortunately, the files affected by the MOLE Ransomware are not recoverable, meaning that victims will have to recover their files from backup copies. Spam email messages used to deliver the MOLE Ransomware can be recognized easily since they resemble common online tactics. The following are samples of subject lines used in spam email messages that have been linked to the MOLE Ransomware infection:
- Delivery problem, parcel USPS #07681136
- Delivery problem, parcel USPS #766268001
- Delivery problem, parcel USPS #886315525
- New status of your USPS delivery code: 74206300
- New status of your USPS delivery code: 573677337
- New status of your USPS delivery code: 615510620
- Our USPS courier can not contact you parcel # 754277860
- Please recheck your delivery address USPS parcel 67537460
- Please recheck your delivery address USPS parcel 045078181
- Status of your USPS delivery ID: 45841802
- We have delivery problems with your parcel # 30028433
- We have delivery problems with your parcel # 48853542
- We have delivery problems with your parcel # 460730503
SpyHunter Detects & Remove MOLE Ransomware
File System Details
# | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|---|
1. | svnsir32.exe | 99cbe33113569d3e5497f37edc870b7f | 67 |
2. | svnsir32.exe | 98c745fe29837328a9bc679f6671ee81 | 47 |
3. | svwinsi32.exe | 3862eeef4876dc4fe4ea3ae8f4a47772 | 32 |
4. | svnsir32.exe | c0528424afded0a9f5e9c587f1e72494 | 25 |
5. | svwinse.exe | 1ec6fcd1afb5a07f0dff5fe97663e494 | 13 |
6. | svwinsi32.exe | bb6215f20f8fd921b200eb46344ff26d | 13 |
7. | svnsir32.exe | 6d985b2f8557a48584b42191dc354294 | 11 |
8. | svwinse.exe | 2f4489e85c3d6d81beeb90973c8c3b6c | 7 |
9. | svwinsi32.exe | ba7c4d7859b000677158887480404116 | 5 |
10. | svwinsi32.exe | a09251f74b1aae681c822b4ae12739ae | 5 |
11. | svwinse.exe | 1cddf8fc941e4dfa6715a835abc13385 | 2 |
12. | 3b5b19ebe8d8b6c7e5b2ffd2cc194fad1ae6c9eade7646f48c595bd154f4b1e1.exe | 132a4f45cd74a8dd906f0af3e582d0a9 | 1 |
13. | svwinse27.exe | aaf93f435905fa40c4893abe3aa7cbb9 | 1 |
14. | svnsir32.exe | c8d79fbe326908645fd36e677cbda2f0 | 1 |
15. | svwinsi32.exe | ad20dcb42355b9c2ba552e8bb5f1930d | 1 |
16. | svinsir32.exe | 0ce4c9b0a5a1cd10e6599dff192f05fe | 1 |
17. | svwinsi32.exe | adae879dc7a5b48a86ed1c588ab456fd | 1 |
18. | file.exe | c3294c90474063dfb0d28ef8a693a6cb | 1 |
19. | 3ed7a05172c1bc52acec83f2ac17d1ad01e26d99e544804730f044c1042ce474.exe | bc93bc9bf363e9c3b32dd484c61571ff | 0 |
20. | 4eb2d565b18d172a3b2b069ebf152dd6a1514e7b444eaffbbaff77f63984705c.exe | 254abe18b689493a08c4fe12dd61c366 | 0 |
21. | 648eb39a5e77af2e2069e196a5709a93e81b29c74dbe2fa4ead4440e0f535e97.exe | 48460c1f75469995a67349fe0766f776 | 0 |
22. | 8684d808cf2c7aeab453c95d8269ee3a4492adfcead1c93bef681de29192a1a1.exe | bb3897302c220e6eb62334f7ac83e8a6 | 0 |
23. | acef8f1ccc857e4bb97ae80fcec4b1f50c76c6888a030ece66c9d53ebebbcde7.exe | 4e9ce0e6a565a5f4aae7f4334cfe3a9e | 0 |
24. | ba8c82826fb7c1c86ea23f0720bc867431ccb3ec25a692684bdfe6d34a53e3bc.exe | b2a3711591fcd8f9e32ac2d8b30b22a1 | 0 |
25. | e517ee3143154a29be42ffbd9199913f74d8849331fcc676e83934de1a1de2ed.exe | 3eee60c87ff1c51f453899d7bd192d6d | 0 |
26. | f1b94366f2f10ea20353a699e6baa1a9bb1b020542097bb92c523b9976235eb4.exe | ae7f92a75196e87aa8db98ff230df0d4 | 0 |
27. | ff993bf1045d316feddcdb9fad538ac954a23903db130487393f9c3ae510aea1.exe | a5d1968dd130c55f6d489e8cde0a063d | 0 |