MOLE Ransomware

The MOLE Ransomware is a new member of a Trojan family referred to as either CryptoMix or CryptMix Ransomware. Trojans within this group use a currently-unbreakable encryption method to encode and block your files, for which they extort ransom money. Users should avoid the delivery-themed e-mail links of this Trojan's campaign, along with having anti-malware products for eliminating the MOLE Ransomware or its installers in a preventative fashion.

What's Burrowing into Your File Data Today

Once again, con artists are exploiting e-mail as a favorable means of distributing new file-encrypting Trojans to victims, with the associated messages posing as notifications from the USPS. Instead of attaching the Trojan directly, the e-mails display links leading to fake plugins for the Microsoft Office program. Unprotected users clicking these links expose their browsers to an instance of the RIG Exploit Kit, which installs the MOLE Ransomware. Malware experts also note ties between this EK and other Trojan campaigns, usually with similar, encryption-based payloads.

The MOLE Ransomware is a Windows-specific Trojan that disables its installation on virtual or sandbox environments, which often are useful for threat analysis. If it does detect a suitable system environment, the MOLE Ransomware launches an install routine that includes a fake 'Color Calibration' pop-up to trick the user into giving it UAC admin privileges. Then, it launches the following attacks:

• The MOLE Ransomware conducts some network communications to provide its threat actor with a customized ID number for the infected PC, in addition to receiving an RSA-1024 encryption key that it saves locally.
• Using an AES-256 algorithm, the MOLE Ransomware encrypts media on all drives, such as documents, and renames them with a pattern of thirty-two hexadecimal characters and the '.MOLE' extension. The latter feature overwrites the original filenames.
• The MOLE Ransomware disables essential Windows services and features, including startup recovery, the Windows Defender, the Windows Update and the Background Intelligent Transfer Service.
• Like most file-encrypting Trojans of the past two years, the MOLE Ransomware also erases your Shadow Copies, which victims could use for recovering their encrypted files from default system backups.

Stopping an Expensive Mix-up of Your Files

The MOLE Ransomware's method of collecting a payoff for its attack is somewhat less sophisticated than the rest of its payload and uses nothing more than a Notepad message it places in every folder that has encrypted content. Victims have the option of contacting the e-mail addresses in the MOLE Ransomware's instructions and paying an unspecified ransom or risking the potential destruction of their files. Malware analysts have yet to find any vulnerabilities in the MOLE Ransomware's encryption method, which places importance on having backups dating to before an infection.

Even though some PC users may choose to protect themselves by using virtual environments, this safety measure is often impractical and doesn't stop all file-encrypting threats. Anti-malware programs with high rates of detecting similar Trojans also may delete the MOLE Ransomware or, preferably, block the RIG Exploit Kit's drive-by-downloads. Since its install process requires misinformed consent from the user in multiple locations, simply being cautious about what prompts and links you click eliminates much of the risk in the MOLE Ransomware's current infection vectors.

Ransom-based Trojans are extremely dependent on mistakes from the people they're attacking. Use that weakness to your advantage and avoid assuming that anything that looks safe can't harm your computer or the files you save on it.

Technical Details