Threat Database Ransomware Mole03 Ransomware

Mole03 Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Ranking: 2,953
Threat Level: 80 % (High)
Infected Computers: 17,651
First Seen: July 25, 2017
Last Seen: September 20, 2023
OS(es) Affected: Windows

The Mole03 Ransomware is the third in the Mole# family of ransomware Trojans. PC security analysts first observed earlier variants in this family named the MOLE Ransomware and the Mole02 Ransomware. The Mole03 Ransomware was first observed on July 24, 2017. The Mole03 Ransomware and its other variants are based on the Kill CryptFILe2 Ransomware Trojan, also known as CryptMix or CryptoMix. The Mole03 Ransomware shows some modifications when compared to previous variants in this ransomware family. The Mole03 Ransomware is being distributed through massive amounts of spam email messages. The Mole03 Ransomware is configured to establish communications with a new Command and Control server. The way in which the Mole03 Ransomware is being delivered to victims is through a bogus font that supposedly is needed for Google Chrome to display certain Web pages. This 'font' is contained in a corrupted executable file named '2017-07-23-1st-run-Font_Chrome.exe.' Running this file downloads and installs the Mole03 Ransomware onto the victim's computer.

How the Mole03 Ransomware Attack is Carried Out

When the computer user runs the file mentioned above, a notification will appear titled 'Display Color Calibration.' This message box contains the following text:

'Display Color Calibration can't turn off Windows calibration management. Access is Denied.'

This will trigger a User Account Control notification and asks the computer users to allow the WMI Command Line Utility run on the affected computer. Clicking on OK will allow the Mole03 Ransomware to be installed and carry out its attack. Once the Mole03 Ransomware is installed, it will use a strong encryption algorithm to make the victim's files inaccessible. The Mole03 Ransomware will add the file extension '.mole03' to each affected file, and also will rename the files by encrypting the file names. There is not much to differentiate the Mole03 Ransomware from previous variants in this family, although PC security researchers have observed some slight improvements to the Mole03 Ransomware's obfuscation and encryption routines, which could allow it to avoid detection more efficiently.

The Ransom Note Displayed by the Mole03 Ransomware

The Mole03 Ransomware uses a typical encryption ransomware attack. Using a strong pair of encryption algorithms, RSA and AES, the Mole03 Ransomware will make the victim's files inaccessible. In its attack, the Mole03 Ransomware seems to target the user-generated files, including media files, photos, images, videos, music, sound, and files created using Microsoft Office, Adobe Acrobat, Photoshop and numerous others. After encrypting the victim's files, the Mole03 Ransomware will display a ransom note in the form of a text file named '_HELP_INSTRUCTION.TXT,' which will display a message informing the victim of the attack and demanding the payment of a ransom. The following is the full text of the Mole03 Ransomware ransom note:

All your files are encrypted with RSA_2048 and AES_128 ciphers. More information about the RSA and AES can be found here:
URL1: hxxp://
URL2: hxxp://
Decrypting your files is only possible with he private key and decrypts programs, which is on our secret server.
Follow these steps:
1. Download and install Tor_Browsers: hxxp://
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar:
URL1: hxxp://supportxxgbefd7c.onion
URL2: hxxp://supportjy2xvvdmx.onion
4. Follow the instructions on the site. !!
Your DECRYPT-ID: 73386d08-61bc-4b07-9861-6e83135df82bd !_!'

The Mole03 Ransomware demands the payment of 1 Bitcoin (which at the current exchange rate is equivalent to $2700 USD). PC security analysts strongly advise computer users to refrain from paying this large amount. Unfortunately, it may not be possible to restore files affected by the Mole03 Ransomware attack currently. The best protection against the Mole03 Ransomware and numerous other encryption ransomware Trojans is to have file backups. If you have backup copies of your files that are easily accessible, then the people responsible for the Mole03 Ransomware attack lose any power that allows them to demand a ransom payment or threaten the computer user.


Most Viewed