Home Malware Programs Ransomware MOLE66 Ransomware

MOLE66 Ransomware

Posted: March 30, 2018

The MOLE66 Ransomware is a variant of the Revenge Ransomware, which is an update of the CryptoMix or CryptMix Ransomware family. Because this threat can lock files in ways that prevent their recovery, as well as interfere with some essential security services, users should block an infection preemptively and backup their data, when it's possible. Most anti-malware programs with positive rates of detection against the CryptMix Ransomware also should remove the MOLE66 Ransomware automatically.

Trojans with a Russian Bias

The CryptMix Ransomware family is in a state of low activity, but recent evidence is appearing of at least one variant being operational. The new version, the MOLE66 Ransomware, is a spin-off of the Revenge Ransomware update and has no meaningful cryptography changes from that file-locking threat. However, the MOLE66 Ransomware does have some cosmetic changes, and, most meaningfully, avoids extorting money from any PC users residing in Russia. Other, old members of the same family also include the SERVER Cryptomix Ransomware, the Tastylock Ransomware and the XZZX Ransomware.

The MOLE66 Ransomware locks data with the same, AES-based methods as previously, but its authors are using a variation on their ransom note's template. This Notepad message is a file that the MOLE66 Ransomware drops after blocking different formats of media, such as documents, and contains a three-day timing limitation on paying the ransom, along with an e-mail address for future communications. Another change is in the extension that the MOLE66 Ransomware adds to the files, which is '.MOLE66.'

Malware researchers also took note of a character set-filtering option in the MOLE66 Ransomware that causes the Trojan to close without running through its payload, including the encryption attack that would lock the user's files. So far, the MOLE66 Ransomware only uses this feature for avoiding systems using the Russian language, which is a practice that eastern European threat actors use for evading the attention of Russian law enforcement. A similar, but differently-implemented feature is recent with Rapid 2.0 Ransomware equally, another file-locking Trojan from a different family.

Collapsing a Mole's Tunnel System

Some members of the CryptMix Ransomware family are compatible with the free decryption services that various anti-malware organizations offer without charging, but malware experts warn that such compatibility isn't verifiable with the MOLE66 Ransomware variant. Users should keep backups of their media on other devices for guaranteeing that they can always restore anything that this threat, or other file-locking ones similar to it, can't lock any files permanently.

The MOLE66 Ransomware also makes a handful of other changes to the PC, all of which eliminate any potential symptoms, disable security features, such a the Windows Defender, and remove default ways of recovering your media. However, most visible side effects are limited in number until after the MOLE66 Ransomware completes its encryption routine. Users can best protect themselves, and their work, by letting anti-malware programs scan new files regularly and remove the MOLE66 Ransomware as they find it.

The MOLE66 Ransomware is a minor spin on the CryptMix Ransomware family but shows how the con artists may use different methods of sorting through their victims, as well as implying why they might do so. The MOLE66 Ransomware's family and the file-locking attacks associated with it remain relevant to the cyber-security landscape, for the time being.

Loading...