Threat Database Ransomware MOLE Ransomware

MOLE Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 522
First Seen: April 13, 2017
Last Seen: February 29, 2024
OS(es) Affected: Windows

The MOLE Ransomware is a ransomware Trojan that has been associated with a recent spam email campaign. The MOLE Ransomware belongs to the CryptoMix family of ransomware. The MOLE Ransomware may be delivered to the victim in email messages that pretend to be shipping notifications, claiming that a package couldn't be delivered and including a link for 'additional information.' The link allows the MOLE Ransomware to be installed on the victim's computer. When the victim is asked to install a Microsoft Word Online plug-in, it is the MOLE Ransomware.

How the MOLE Ransomware may be Installed on the Victim’s Computer

While the MOLE Ransomware is being installed, its installer will display a bogus alert designed to trick the victim into skipping a User Account Control prompt. The message displayed reads as follows:

'Display Color Calibration can't turn off Windows calibration management.
Access is denied'

When the computer user presses the OK button in this message, the MOLE Ransomware will be executed since it will display a User Account Control prompt that allows the executable file to be executed. This gives the MOLE Ransomware administrative privileges, allowing it to encrypt the victim's files. The MOLE Ransomware uses a combination of the AES and RSA encryption to encrypt the victim's data and make the files inaccessible completely. Before carrying out its attack, the MOLE Ransomware will attempt to stop security processes on the infected computer by issuing the following commands:

  • sc stop wscsvc
  • sc stop WinDefend
  • sc stop wuauserv
  • sc stop BITS
  • sc stop ERSvc
  • sc stop WerSv

The MOLE Ransomware will then stop the Windows recovery and delete the Shadow Volume Copies, preventing computer users from recovering their files using alternate methods. Once this is done, the MOLE Ransomware will carry out its main attack, scanning the victim's computer and encrypting the victim's file. The MOLE Ransomware encrypts the victim's files and renames them with a 32 hex character name and the file extension '.MOLE.'

How the MOLE Ransomware may Extract a Ransom from the Victim

The MOLE Ransomware creates text files in each folder where it encrypts content. These files are named 'INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT' and contain the following text:

'All your important files were encrypted on this computer.
You can verify this by click on see files an try open them.
Encryption was produced using unique public key RSA-1024 generated for this computer.
To decrypted files, you need to obtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet.
The server will destroy the key within 78 hours after encryption completed.
To retrieve the private key, you need to Contact us by email , send us an email your DECRYPT-ID-11111111-1111-1111-1111-111111111111 number
and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form.
Please do not waste your time! You have 72 hours only! After that The Main Server will double your price!'

Unfortunately, the files affected by the MOLE Ransomware are not recoverable, meaning that victims will have to recover their files from backup copies. Spam email messages used to deliver the MOLE Ransomware can be recognized easily since they resemble common online tactics. The following are samples of subject lines used in spam email messages that have been linked to the MOLE Ransomware infection:

  • Delivery problem, parcel USPS #07681136
  • Delivery problem, parcel USPS #766268001
  • Delivery problem, parcel USPS #886315525
  • New status of your USPS delivery code: 74206300
  • New status of your USPS delivery code: 573677337
  • New status of your USPS delivery code: 615510620
  • Our USPS courier can not contact you parcel # 754277860
  • Please recheck your delivery address USPS parcel 67537460
  • Please recheck your delivery address USPS parcel 045078181
  • Status of your USPS delivery ID: 45841802
  • We have delivery problems with your parcel # 30028433
  • We have delivery problems with your parcel # 48853542
  • We have delivery problems with your parcel # 460730503

SpyHunter Detects & Remove MOLE Ransomware

File System Details

MOLE Ransomware may create the following file(s):
# File Name MD5 Detections
1. svnsir32.exe 99cbe33113569d3e5497f37edc870b7f 67
2. svnsir32.exe 98c745fe29837328a9bc679f6671ee81 47
3. svwinsi32.exe 3862eeef4876dc4fe4ea3ae8f4a47772 32
4. svnsir32.exe c0528424afded0a9f5e9c587f1e72494 25
5. svwinse.exe 1ec6fcd1afb5a07f0dff5fe97663e494 13
6. svwinsi32.exe bb6215f20f8fd921b200eb46344ff26d 13
7. svnsir32.exe 6d985b2f8557a48584b42191dc354294 11
8. svwinse.exe 2f4489e85c3d6d81beeb90973c8c3b6c 7
9. svwinsi32.exe ba7c4d7859b000677158887480404116 5
10. svwinsi32.exe a09251f74b1aae681c822b4ae12739ae 5
11. svwinse.exe 1cddf8fc941e4dfa6715a835abc13385 2
12. 3b5b19ebe8d8b6c7e5b2ffd2cc194fad1ae6c9eade7646f48c595bd154f4b1e1.exe 132a4f45cd74a8dd906f0af3e582d0a9 1
13. svwinse27.exe aaf93f435905fa40c4893abe3aa7cbb9 1
14. svnsir32.exe c8d79fbe326908645fd36e677cbda2f0 1
15. svwinsi32.exe ad20dcb42355b9c2ba552e8bb5f1930d 1
16. svinsir32.exe 0ce4c9b0a5a1cd10e6599dff192f05fe 1
17. svwinsi32.exe adae879dc7a5b48a86ed1c588ab456fd 1
18. file.exe c3294c90474063dfb0d28ef8a693a6cb 1
19. 3ed7a05172c1bc52acec83f2ac17d1ad01e26d99e544804730f044c1042ce474.exe bc93bc9bf363e9c3b32dd484c61571ff 0
20. 4eb2d565b18d172a3b2b069ebf152dd6a1514e7b444eaffbbaff77f63984705c.exe 254abe18b689493a08c4fe12dd61c366 0
21. 648eb39a5e77af2e2069e196a5709a93e81b29c74dbe2fa4ead4440e0f535e97.exe 48460c1f75469995a67349fe0766f776 0
22. 8684d808cf2c7aeab453c95d8269ee3a4492adfcead1c93bef681de29192a1a1.exe bb3897302c220e6eb62334f7ac83e8a6 0
23. acef8f1ccc857e4bb97ae80fcec4b1f50c76c6888a030ece66c9d53ebebbcde7.exe 4e9ce0e6a565a5f4aae7f4334cfe3a9e 0
24. ba8c82826fb7c1c86ea23f0720bc867431ccb3ec25a692684bdfe6d34a53e3bc.exe b2a3711591fcd8f9e32ac2d8b30b22a1 0
25. e517ee3143154a29be42ffbd9199913f74d8849331fcc676e83934de1a1de2ed.exe 3eee60c87ff1c51f453899d7bd192d6d 0
26. f1b94366f2f10ea20353a699e6baa1a9bb1b020542097bb92c523b9976235eb4.exe ae7f92a75196e87aa8db98ff230df0d4 0
27. ff993bf1045d316feddcdb9fad538ac954a23903db130487393f9c3ae510aea1.exe a5d1968dd130c55f6d489e8cde0a063d 0
More files

Registry Details

MOLE Ransomware may create the following registry entry or registry entries:
File name without path

Related Posts


Most Viewed