Mole ransomware virus. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware
12

Evolution of Mole ransomware

The screenshot of encrypted files by Mole virus

Mole virus functions as a ransomware which spreads via malicious spam emails disguised as USPS delivery problems.[1] The virus adds .mole file extensions to files it corrupts and drops INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT, which is the ransom note. So far, the criminals have released three versions of this virus – Mole, Mole00, Mole01, Mole02 and Mole03 ransomware.

Researchers found connections with CryptoShield virus, and believe that it’s another piece of malware belonging to the CryptoMix family.

The malware is programmed to encrypt files using an RSA-1024 encryption key, appending .mole file extension and demanding to pay the ransom. Indeed, its behavior barely differs from other file-encrypting viruses. This cyber infection is known to eliminate Shadow Volume Copies; so it prevents victims from recovering data using these data copies.

However, there is some good news – victims of the initial ransomware version can now decrypt files encoded by Mole crypto-malware. You can find its download link in the data recovery instructions provided below the article. In case you got attacked by an updated version of the crypto-malware[2], you can use data backups[3].

If the virus has already inflicted damage, do not consider paying the ransom as there are few chances of recovery. Though the decrypter was finally released, IT experts have found a new version which appends .mole00 file extension to the files.

Furthermore, it disguises under Oren Music Panel executable. It is suspected that the malware might be distributed via several distribution channels, including exploit kits and spam emails. Mole removal might be a better decision. Attempts to obtain decryption software from the cyber criminals might end up with money loss and further cyber infections[4] Thus, we recommend employing Reimage or Malwarebytes Anti Malware

The virus starts its malicious task as soon as a person clicks on a link provided in the infected email. After clicking on it, people are redirected to the fraudulent MS Word Online site which informs that document cannot be opened in the browser and users need to download and install the latest plugin.

Probably, you can get a feeling that this button installs a payload on the system. According to the research, Mole virus is executed either from pluginoffice.exe or plugin-office.exe file from doc-14-8g-docs.googleusercontent.com. When malware executable is dropped and activated on the system, it shows a fake Display Color Calibration alert that informs about an inability to turn off Windows calibration management.

The purpose of this fake error message is to force victims to click on “OK” button. This button is designed to start ransomware execution processes. Then, the virus starts data encryption procedure, and once it's over the virus drops INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT file on the desktop and each folder that includes crypted files.

This file is a ransom note where victims are informed that they have 78 hours to contact cyber criminals and learn how to obtain the decryption key. However, sending the unique ID number to oceanm@engineer.com and oceanm@india.com emails is not recommended.

We can assure that crooks will demand to transfer few Bitcoins, but you may not be satisfied with this purchase. You may never receive a decryptor, or it might be not working properly, or it might be infected. It’s important to remove Mole from the device if you want to continue using your computer safely. Hopefully, alternative data recovery methods will help you to recover at least some of the corrupted files until the official decryptor is released.

Update June 2017: Victims whose computers were affected by this notorious ransomware virus no longer need to sorrow for lost data because if you haven't deleted the corrupted files, you can decrypt them now for free. Researchers from CERT Polska[5] reveal that they decided to take a look at a sample of this crypto-ransomware after one of the victims contacted them.

It turns out, they succeeded to perform a thorough analysis of the ransomware and also initiated a reverse-malware process. As a consequence, Mole decryptor was created. So if you were wondering whether to pay or not to pay the ransom, you can stop hesitating already and download the decryption tool to restore corrupted files.

We already mentioned this, but the ransomware removal must be performed before attempting to use a decryptor. You can find the link to download the decrypter in data recovery section below. 

Versions of Mole ransomware

Mole00 ransomware virus. On July 4th, 2017, a new variant of Mole emerges. This time, the virus uses .MOLE00 extension to mark the encrypted files. After encrypting the data, the malicious program creates _HELP_INSTRUCTION.TXT file and saves it to every computer location that contains at least some corrupted files. The ransom note doesn't provide a particular ransom price but suggests visiting Mole00-02 payment website that asks paying 1 BTC to receive a data recovery software.

The ransomware was mainly distributed via email – scammers used USPS-themed spam campaign to trick unsuspecting victims into installing a malicious plug-in to view the attached message's content. The ransomware is highly dangerous, and so far there are no tools that could recover Mole00 file extension files for free.

Mole01 ransomware virus. Mole01 ransomware emerged for a short period but was quickly replaced by Mole02 ransomware version. The 01 version used _HELP_INSTRUCTION.TXT to provide instructions for victims. It also points to a dark web site accessible via Tor browser and also demands 1 BTC as a ransom.

Unfortunately, ransomware decryptors available today are not powerful enough to decrypt .mole01 file extension files. To restore encrypted files, we suggest using data backup or any data copies stored in email, online data storage accounts, and other places. Before you attempt to recover some files, remove Mole01 virus first.

Mole02 ransomware virus. MOLE02 version emerged on July 08, 2017. The virus completely corrupts the original file name and adds .MOLE02 file extension to it. The virus scans the entire computer system and corrupts all of the files with extensions from its target list. Following that, the virus creates and saves the _HELP_INSTRUCTION.TXT file as a ransom note.

The ransom note holds instructions on how to access the secret website with instructions on how to recover victim's data. The payment website suggests buying the “private key” for one Bitcoin. The victim has to enter one's victim ID and personal email address after transferring the ransom to criminals' Bitcoin address. However, a decrypter for MOLE02 is available, so we ask you not to pay the ransom!

Mole03 ransomware virus. Mole03 ransomware emerges on July 23. Reportedly, actors behind EiTest campaign distribute the virus via “The “HoeflerText” wasn't found” pop-ups. In other words, ransomware authors compromise legitimate websites and make them display the malicious pop-up.

Once the victim visits an infected site, the malicious script checks if the victim is using Google Chrome. If yes, it suggests installing a font pack that contains malware. If the victim uses Internet Explorer, the website automatically redirects the victim to a tech support scam site.

MOLE03 virus also uses _HELP_INSTRUCTION.TXT to send a message to the victim. It also points to the same payment website that demands 1 BTC.

There is no decryptor for Mole03 ransomware available. Therefore, if it locked your files, you will need to use alternative data recovery methods. Ideally, use a data backup. In case you never created it, try data recovery solutions listed below the article.

Techniques used to distribute the virus

Online security researcher Brad Duncan noted that Mole hijack occurs via malicious spam emails, which alert netizens about problems with package delivery. The subject line might include these names:

  • Delivery problem, parcel USPS #number;
  • New status of your USPS delivery code: #number;
  • Our USPS courier can not contact you parcel # number;
  • Please recheck your delivery address USPS parcel #number;
  • Status of your USPS delivery ID: #number;
  • We have delivery problems with your parcel # number.

However, there might be other email campaigns that distribute a malicious payload. Though, it is important to be careful and not to click on the links provided in the email that informs about delivery issues; especially, if you do not expect to receive any parcel. As we mentioned earlier, these emails have a link that leads to the fake Microsoft Office Online page which informs about a necessity to download a plugin to open the content.

This download button is infected and drops a malicious file on the system which generates another error message. Fake Display Color Calibration notification includes the “OK” button, which allows Mole ransomware to start damaging processes on the system as soon as it is clicked on.

Right after the project was launched, the developers of Mole malware decided to improve their distribution technique. The malware continues impersonating U.S. Postal Service emails. Besides disguising the malware in the attachment, now the developers have loaded more “malicious” content in the attached files.

They would hide Kovter (which now has its own crypto-malware – Kovter ransomware) and Miuref (alternatively known as Boaxxe) malware [6]. The entire malignant content is packaged into plugin.zip folder. Naturally, within this folder, plugin.js is placed as well. 

In order for Mole crypto-malware to execute and paralyze the system, Nemucod trojan is also included. Interestingly, the gearheads also revived another malware – Nymaim ransomware [7]. It uses almost identical spam messages and includes the mentioned series of malware as well. On April 21, the crooks diverted from imitating USPS services to disguising under diverse lottery, parking notifications, and tax refund messages. 

Remove Mole ransomware, get your files back

Having ransomware on the computer puts computer’s security and your privacy at risk, so remove Mole virus without a delay. This crypto-malware has already damaged your files; thus, you should not let it allow other viruses to enter the system and cause you more problems.[8] We suggest you eliminate 

We suggest you eliminate virus from the system as soon as you find a ransom demanding message and find out that you cannot access your files. Elimination requires using professional antivirus software or malware removal tools. We suggest performing this task using Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware. We can assure that these programs can delete the virus entirely from the system.

However, Mole removal may not be smooth. File-encrypting viruses are often immune from security tools or prevent from installing them. However, you can disable the ransomware by rebooting the device to the Safe Mode with Networking.

This mode allows accessing, installing or updating security software and completing elimination. Once you remove the ransomware, try the decrypter created by CERT Polska.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Mole ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Mole ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual Mole virus Removal Guide:

Remove Mole using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

If you cannot access antivirus program installed on your device or malware prevents you from installing it, please reboot your PC to the Safe Mode with Networking. Then you will be able to use security software and get rid of the virus.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Mole

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Mole removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Mole using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

System Restore method also helps to disable the virus and access security software. We want to point out that you should scan the computer with updated malware removal program several times just to be sure that all malicious components are deleted from the system entirely.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Mole. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Mole removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Mole from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

At the moment, data decryption tool is already available, although data backups can save your files, too. However, if you do not have it, try options presented below. One of the provided methods will restore your files.

If your files are encrypted by Mole, you can use several methods to restore them:

Data Recovery Pro – automatic solution to restore files encrypted by Mole

This professional tool is designed to restore deleted, corrupted and some of the encrypted files. Victims of the ransomware compliment this program for restoring a bunch of files. Though, we want to stress out that it's not a particular decryptor for this malware.

Try Windows Previous Versions feature to restoring individual files

If you need to recover few important documents, Windows Previous Versions feature might be helpful. It allows traveling back in computer's time and copying individual versions of the encrypted files. However, you can use this method under one condition – System Restore feature needed to be enabled before Mole virus attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Mole decryptor

Computer Emergency Response Team from Poland, known as CERT Polska, has reversed a sample of the malware and created a free decryptor that you can use. Download the Mole decryptor from their official page.

IMPORTANT. Victims of MOLE02 can decrypt their files using this decrypter.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mole and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References

Removal guides in other languages


  • Suki

    I received one of those emails. I though it was strange to get such email because I was not expected to get any parcel. Though, I googled for the information, and found out that some shady people tried to hack my PC! Thank God, I did not click on the link!

  • Edith

    I wish someone would create a decrytpor soon..

  • Soren

    Another horrible ransomware…