Mole ransomware virus. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware
Reimage is recommended to uninstall Mole.
Remove it now! Remove it now! Free scanner allows you to check whether your PC is infected or not.
If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
12

Older Mole ransomware versions – decryptable, new ones arise

The screenshot of encrypted files by Mole virus

Mole virus functions as a ransomware which spreads via malicious spam emails disguised as USPS delivery problems.[1] However, the virus is not new. Researchers found connections with CryptoShield virus, and believe that it’s another piece of malware belonging to the CryptoMix family.

The malware is programmed to encrypt files using an RSA-1024 encryption key, appending .mole file extension and demanding to pay the ransom. Indeed, its behavior barely differs from other file-encrypting viruses. This cyber infection is known to eliminate Shadow Volume Copies; so it prevents victims from recovering data using these data copies.

However, there is some good news – victims can now decrypt files encoded by Mole crypto-malware as it is now decryptable. You can find its download link in the data recovery instructions provided below the article. In case you got attacked by an updated version of the crypto-malware[2], you can use data backups[3].

If the virus has already inflicted damage, do not consider paying the ransom as there are few chances of recovery. Though the decrypter was finally released, IT experts have found a new version which appends .mole00 file extension to the files.

Furthermore, it disguises under Oren Music Panel executable. It is suspected that the malware might be distributed via several distribution channels, including exploit kits and spam emails. Mole removal might be a better decision. Attempts to obtain decryption software from the cyber criminals might end up with money loss and further cyber infections[4] Thus, we recommend employing Reimage or Malwarebytes Anti Malware

The virus starts its malicious task as soon as a person clicks on a link provided in the infected email. After clicking on it, people are redirected to the fraudulent MS Word Online site which informs that document cannot be opened in the browser and users need to download and install the latest plugin.

Probably, you can get a feeling that this button installs a payload on the system. According to the research, Mole virus is executed either from pluginoffice.exe or plugin-office.exe file from doc-14-8g-docs.googleusercontent.com. When malware executable is dropped and activated on the system, it shows a fake Display Color Calibration alert that informs about an inability to turn off Windows calibration management.

The purpose of this fake error message is to force victims to click on “OK” button. This button is designed to start ransomware execution processes. Then, the virus starts data encryption procedure, and once it's over the virus drops INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT file on the desktop and each folder that includes crypted files.

This file is a ransom note where victims are informed that they have 78 hours to contact cyber criminals and learn how to obtain the decryption key. However, sending the unique ID number to oceanm@engineer.com and oceanm@india.com emails is not recommended.

We can assure that crooks will demand to transfer few Bitcoins, but you may not be satisfied with this purchase. You may never receive a decryptor, or it might be not working properly, or it might be infected. It’s important to remove Mole from the device if you want to continue using your computer safely. Hopefully, alternative data recovery methods will help you to recover at least some of the corrupted files until the official decryptor is released.

Update June 2017: Victims whose computers were affected by this notorious ransomware virus no longer need to sorrow for lost data because if you haven't deleted the corrupted files, you can decrypt them now for free. Researchers from CERT Polska[5] reveal that they decided to take a look at a sample of this crypto-ransomware after one of the victims contacted them.

It turns out, they succeeded to perform a thorough analysis of the ransomware and also initiated a reverse-malware process. As a consequence, Mole decryptor was created. So if you were wondering whether to pay or not to pay the ransom, you can stop hesitating already and download the decryption tool to restore corrupted files.

We already mentioned this, but the ransomware removal must be performed before attempting to use a decryptor. You can find the link to download the decrypter in data recovery section below. 

Infiltration technique

Online security researcher Brad Duncan noted that Mole hijack occurs via malicious spam emails, which alert netizens about problems with package delivery. The subject line might include these names:

  • Delivery problem, parcel USPS #number;
  • New status of your USPS delivery code: #number;
  • Our USPS courier can not contact you parcel # number;
  • Please recheck your delivery address USPS parcel #number;
  • Status of your USPS delivery ID: #number;
  • We have delivery problems with your parcel # number.

However, there might be other email campaigns that distribute a malicious payload. Though, it is important to be careful and not to click on the links provided in the email that informs about delivery issues; especially, if you do not expect to receive any parcel. As we mentioned earlier, these emails have a link that leads to the fake Microsoft Office Online page which informs about a necessity to download a plugin to open the content.

This download button is infected and drops a malicious file on the system which generates another error message. Fake Display Color Calibration notification includes the “OK” button, which allows Mole ransomware to start damaging processes on the system as soon as it is clicked on.

Right after the project was launched, the developers of Mole malware decided to improve their distribution technique. The malware continues impersonating U.S. Postal Service emails. Besides disguising the malware in the attachment, now the developers have loaded more “malicious” content in the attached files.

They would hide Kovter (which now has its own crypto-malware – Kovter ransomware) and Miuref (alternatively known as Boaxxe) malware [6]. The entire malignant content is packaged into plugin.zip folder. Naturally, within this folder, plugin.js is placed as well. 

In order for Mole crypto-malware to execute and paralyze the system, Nemucod trojan is also included. Interestingly, the gearheads also revived another malware – Nymaim ransomware [7]. It uses almost identical spam messages and includes the mentioned series of malware as well. On April 21, the crooks diverted from imitating USPS services to disguising under diverse lottery, parking notifications, and tax refund messages. 

Eliminate Mole malware effectively

Having ransomware on the computer puts computer’s security and your privacy at risk, so remove Mole virus without a delay. This crypto-malware has already damaged your files; thus, you should not let it allow other viruses to enter the system and cause you more problems.[8] We suggest you eliminate 

We suggest you eliminate virus from the system as soon as you find a ransom demanding message and find out that you cannot access your files. Elimination requires using professional antivirus software or malware removal tools. We suggest performing this task using Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware. We can assure that these programs can delete the virus entirely from the system.

However, Mole removal may not be smooth. File-encrypting viruses are often immune from security tools or prevent from installing them. However, you can disable the ransomware by rebooting the device to the Safe Mode with Networking.

This mode allows accessing, installing or updating security software and completing elimination. Once you remove the ransomware, try the decrypter created by CERT Polska.

do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Mole ransomware virus you agree to our privacy policy and agreement of use.
Reimage is recommended to uninstall Mole ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual Mole virus Removal Guide:

Remove Mole using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

If you cannot access antivirus program installed on your device or malware prevents you from installing it, please reboot your PC to the Safe Mode with Networking. Then you will be able to use security software and get rid of the virus.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Mole

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Mole removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Mole using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

System Restore method also helps to disable the virus and access security software. We want to point out that you should scan the computer with updated malware removal program several times just to be sure that all malicious components are deleted from the system entirely.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Mole. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Mole removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Mole from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

At the moment, data decryption tool is already available, although data backups can save your files, too. However, if you do not have it, try options presented below. One of the provided methods will restore your files.

If your files are encrypted by Mole, you can use several methods to restore them:

Data Recovery Pro – automatic solution to restore files encrypted by Mole

This professional tool is designed to restore deleted, corrupted and some of the encrypted files. Victims of the ransomware compliment this program for restoring a bunch of files. Though, we want to stress out that it's not a particular decryptor for this malware.

Try Windows Previous Versions feature to restoring individual files

If you need to recover few important documents, Windows Previous Versions feature might be helpful. It allows traveling back in computer's time and copying individual versions of the encrypted files. However, you can use this method under one condition – System Restore feature needed to be enabled before Mole virus attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Mole decryptor

Computer Emergency Response Team from Poland, known as CERT Polska, has reversed a sample of the malware and created a free decryptor that you can use. Download the Mole decryptor from their official page.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Mole and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References

Removal guides in other languages


  • Suki

    I received one of those emails. I though it was strange to get such email because I was not expected to get any parcel. Though, I googled for the information, and found out that some shady people tried to hack my PC! Thank God, I did not click on the link!

  • Edith

    I wish someone would create a decrytpor soon..

  • Soren

    Another horrible ransomware…