Mole03 Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 2,953 |
Threat Level: | 80 % (High) |
Infected Computers: | 17,651 |
First Seen: | July 25, 2017 |
Last Seen: | September 20, 2023 |
OS(es) Affected: | Windows |
The Mole03 Ransomware is the third in the Mole# family of ransomware Trojans. PC security analysts first observed earlier variants in this family named the MOLE Ransomware and the Mole02 Ransomware. The Mole03 Ransomware was first observed on July 24, 2017. The Mole03 Ransomware and its other variants are based on the Kill CryptFILe2 Ransomware Trojan, also known as CryptMix or CryptoMix. The Mole03 Ransomware shows some modifications when compared to previous variants in this ransomware family. The Mole03 Ransomware is being distributed through massive amounts of spam email messages. The Mole03 Ransomware is configured to establish communications with a new Command and Control server. The way in which the Mole03 Ransomware is being delivered to victims is through a bogus font that supposedly is needed for Google Chrome to display certain Web pages. This 'font' is contained in a corrupted executable file named '2017-07-23-1st-run-Font_Chrome.exe.' Running this file downloads and installs the Mole03 Ransomware onto the victim's computer.
How the Mole03 Ransomware Attack is Carried Out
When the computer user runs the file mentioned above, a notification will appear titled 'Display Color Calibration.' This message box contains the following text:
'Display Color Calibration can't turn off Windows calibration management. Access is Denied.'
This will trigger a User Account Control notification and asks the computer users to allow the WMI Command Line Utility run on the affected computer. Clicking on OK will allow the Mole03 Ransomware to be installed and carry out its attack. Once the Mole03 Ransomware is installed, it will use a strong encryption algorithm to make the victim's files inaccessible. The Mole03 Ransomware will add the file extension '.mole03' to each affected file, and also will rename the files by encrypting the file names. There is not much to differentiate the Mole03 Ransomware from previous variants in this family, although PC security researchers have observed some slight improvements to the Mole03 Ransomware's obfuscation and encryption routines, which could allow it to avoid detection more efficiently.
The Ransom Note Displayed by the Mole03 Ransomware
The Mole03 Ransomware uses a typical encryption ransomware attack. Using a strong pair of encryption algorithms, RSA and AES, the Mole03 Ransomware will make the victim's files inaccessible. In its attack, the Mole03 Ransomware seems to target the user-generated files, including media files, photos, images, videos, music, sound, and files created using Microsoft Office, Adobe Acrobat, Photoshop and numerous others. After encrypting the victim's files, the Mole03 Ransomware will display a ransom note in the form of a text file named '_HELP_INSTRUCTION.TXT,' which will display a message informing the victim of the attack and demanding the payment of a ransom. The following is the full text of the Mole03 Ransomware ransom note:
'! INFORMATION
All your files are encrypted with RSA_2048 and AES_128 ciphers. More information about the RSA and AES can be found here:
URL1: hxxp://en.wikipedia.org/wiki/RSA_numbers
URL2: hxxp://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Decrypting your files is only possible with he private key and decrypts programs, which is on our secret server.
Follow these steps:
1. Download and install Tor_Browsers: hxxp://torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar:
URL1: hxxp://supportxxgbefd7c.onion
URL2: hxxp://supportjy2xvvdmx.onion
4. Follow the instructions on the site. !!
Your DECRYPT-ID: 73386d08-61bc-4b07-9861-6e83135df82bd !_!'
The Mole03 Ransomware demands the payment of 1 Bitcoin (which at the current exchange rate is equivalent to $2700 USD). PC security analysts strongly advise computer users to refrain from paying this large amount. Unfortunately, it may not be possible to restore files affected by the Mole03 Ransomware attack currently. The best protection against the Mole03 Ransomware and numerous other encryption ransomware Trojans is to have file backups. If you have backup copies of your files that are easily accessible, then the people responsible for the Mole03 Ransomware attack lose any power that allows them to demand a ransom payment or threaten the computer user.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.