Remove MOLE Ransomware and Restore Your Files

A new type of ransomware called MOLE has been detected in mid April 2017. This ransomware works similarly to other types of encrypting ransomware that it will encrypt the files on the target computers and demand a ransom from the victims. Researchers have found that this ransomware is a member of the CryptoMix family which was discovered on April 6, 2016. In case you have become a victim of this ransomware, please continue reading and you will find the useful guide to remove this threat out of your PC.


Quick Solution: Download a professional malware removal tool to remove MOLE ransomware immediately.


Description of Mole Ransomware


Mole Ransomware is a terrible file-encrypting ransomware. Its main purpose is to extort money from the victims. MOLE, Cerber, Locky and TeslaCrypt are such kind of ransomware. MOLE ransomware is mainly distributed via spam emails. The cyber hackers behind this ransomware send thousands of emails that appear to come from a legitimate service, such as USPS Ground mail, to random email users. There are various different email templates, but the final goal is to lure people to click on a suspicious URL contained in the email messages. Here is an example of the deceptive emails sent by the cyber hackers.

spam email

As you can see from the image above, if users click on the link provided in the email message, they will be redirected to a phishing Office365 website, which pretends to open a Microsoft Word document online. However, users will see a page with lots of messy codes and a notice saying that “This document cannot be read in your browser”. Users are recommended to download and install the latest plugin version in order to open the document normally. But what users actually download can be a dropper that has been designed to download the executable file of the MOLE ransomware to their computers.


Once the executable file is activated, the MOLE ransomware will be installed. Then, it will immediately connect to a distribution site via an unsecured port and begin to download its other malicious files on the victims’ computers. These files may be located in the following directories:

  • %Windows%
  • %SystemDrive%
  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%

After the malicious files are downloaded, the ransomware obtains administrative rights over the infected computers. Then, the following Windows processes are terminated:

  • WinDefend
  • Wscsvc
  • Wuauserv
  • ERSvc
  • BITS
  • WerSvc

Once all these things are done, it will start to encrypt almost all of personal files found on the hard drives using the RSA-1024 cryptography. According to the researchers, this ransomware mainly encrypt files with the following extensions:

.doc, .xls, .ppt, .mdb, .pub, .odt, .nef, .nrw, .orf, .ods, .odp, .odm, .accdb, .pst, .dwg, .dxf, .odc, .pef, .srw, .x3f, .der, .p7c, .rtf, .wb2, .cr2, .odb, .wps, .xlk, .dxg, .wpd, .cer, .r3d, .ptx, .mdf, .dbf, .psd, .pdd, .eps, .ai, .indd, .crt, .pem, .pfx, .p12, .p7b, .dcr, .kdc, .erf, .mef, .mrw, .raf, .raw, .arw, .srf, .rwl, .rw2, .cdr, .jpg, .dng, .3fr, .sr2, .bay, .crw

The encrypted file name is composed of 32 random characters and the “.MOLE” extension. Here are the examples of files that are encrypted and renamed by the MOLE ransomware.


The ransomware then display a ransom note, telling the victims that their personal files have been encrypted and if they want to get their files back they need to obtain the private key. This ransom note is a text file named “INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT“. It can be found in each existing folder and on the desktop. Here is screenshot of the ransom note:


As we can see from the ransom note above, the cyber hackers behind the MOLE ransomware don’t tell a specified amount of money to decrypt the encrypted files. They require the victims to send their decrypt ID number to the given emails and wait for further instructions. If the victims don’t contact the cyber hackers within 72 hours, the amount of money required to buy the private key will double.


Contacting the cyber hackers should be the last resort. What if you don’t receive the private key after making the payment? What if the private key doesn’t work? So, we don’t recommend you directly buy the private key without trying other viable solutions. But at the moment, removing the ransomware will be a urgent matter! A ransomware could cause various problems to your PC other than extorting money from you.


How to Remove MOLE Ransomware from Your PC?


One of the worst things should be having ransomware like MOLE on your PC. It stops you from accessing your personal files by encrypting them using the complicated cryptography and demands a ransom for recovering of the encrypted files. The ransom is not very huge but often beyond the amount that you can accept. This is the reason why we recommend you to try removing the ransomware and then recovering your files in other ways, before you send an email to the cyber hackers. We have no reasons to give our hard-earn money to the bad guys, right? Now you can follow the methods below to try to remove MOLE ransomware from your PC.

Method 1: Run SpyHunter to remove MOLE ransomware.


What Is SpyHunter?

SpyHunter is a professional anti-malware program developed by Enigma Software Group USA LLC. This program is designed with advanced features that it can provide the highest level of protection for you computer and deal with many types of malware threats like viruses, rogue antivirus programs, ransomware, and rootkits. Besides, it offers 7×24 online assistance to help you resolve problems that cannot be fixed by the program.


Now you can follow below steps to download, install and use SpyHunter to get rid of MOLE ransomware from your PC:


  • Copy the downloaded file to your computer and then run it on your PC. When a dialog box pops up as below, click the Run button.SpyHunter-shortcut

click run

  • Select the language you prefer and click the OK button.

select language

  • Click CONTINUE to proceed.

click continue

  • Click I accept the EULA and Policy and click the INSTALL button.

accept terms and agreements

  • Now SpyHunter is being installed on your PC. Just for a few time.


  • Once SpyHunter is successfully installed on your PC, click the EXIT button.

click finish

  • Then, boot your PC into the Safe Mode. After you access the desktop, double click the icon of SpyHunter to run it on your PC. On its main screen, click the Scan Computer Now button to do a full system scan.

scan computer now

  • SpyHunter now will start scanning the entire system for any existing threats.

scanning process

  • When the scanning is done, SpyHunter will show you all detected threats. Click the Fix Threats button if you want to remove all found threats.


  • After all threats are completely deleted from your PC, restart your PC.
Warm tips: If for some reason you cannot find any item related to MOLE ransomware, we still suggest that you click the Fix Theats button to remove other detected threats. After being infected by the ransomware, some of your system settings could change, which lowers the security level. Under this situation, your computer system is very easy to be attacked by other types of malware and suffer from more unwanted problems. Hence, removing other malware threats is also an important thing that you need to do.



Method 2: Perform system restore to remove MOLE ransomware.


System restore is a Windows feature that can help fix certain types of computer problems, like crashing, blue screen of death, and malware infections. If you want to try the system restore to clean MOLE ransomware out of your PC, then follow the steps below.

  • Click Start menu and type system restore into the search box. Then, click System Restore from the result list.

restore system_1

  • In the window that appears, select the option of Recommended restore or Choose a different restore point (note: if the ransomware infection occurred earlier than the date of the Recommend restore, you should choose the later option).

restore system-2

  • Then, you’ll be presented with a list of restore points you have created previously. If you want more options, tick the box labelled Show More Restore Points. Then, you can Select an acceptable restore point and click the Next button.

restore system_3

  • Confirm your restore point and click on Finish. A dialog box will appear and require you to confirm that you really want to perform system restore. Click Yes button, and then the system restore will begin.

restore system_4

restore system_5

  • Please wait while your Windows files and settings are being restored.

restore system_6

  • After the system restore is completed, please log into your account.

restore system_7

  • Then, you will see a dialog box as below once the desktop loads up. Click on the Close button.

restore system_8

Important Note: Performing system restore is effective for the removal of some malware; however, it may not work when your computer is infected by a ransomware like MOLE. This is because ransomware always first infects the restore points of a target system when it starts the attack so as to avoid being removed from the computer. So, if you cannot successfully get rid of MOLE ransomware from your PC after the system restore, you can rely on an exclusive malware removal tool instead.


How to Recover Your Files by Other Ways?


When receiving a ransom note informing that all your important files have been encrypted and you are required to pay a sum of money in order to get your files back, you should first check its authenticity. It doesn’t exclude the possibility that some cyber hackers cheat your money by making you believe that all your files have been encrypted. They may only hide your files and show you some fake “encrypted files”. Here’s how to check:

Windows 7

Right click the Start button and select Open Windows Explorer.

Click Folder and search options.

folders and search options

Select the View tab, tick Show hidden files, folders, and drives, and then click OK.

show hidden files

If your files reappear after you show all hidden files. That will be good news. But if not, then you need to find other ways to recover them. Here are some ways that you can have a try.


Method 1: Use the Backups

The precondition to use this method is that you make a backup of your files before the ransomware attack. If you have, you can easily restore your files from a backup by following the steps below.

1. Click the Start menu, type backup into the search text box and click Backup and Restore from the resulting list.


2. In the popup window, find and click the Restore my files button.

resore my files3. Now you can browse for the file or folder you have recently backed up.

browse for folders

4. You can restore them back to the original location or choose a different place. click Restore and the system will start restoring your files.



Method 2: Use Shadow Volume Copies

Another method is to use Shadow Volume Copies. Some ransomware will delete your shadow copies as soon as it gets installed on your PC, but some may not. So, just try to restore your files using this method. Here is the detailed guide.


Method 3: Use a Decryptor Tool

If the above methods don’t work, the last solution is to try Kaspersky’s decryption tool and Trend Micro’s ransomware file decryptor. BUt please note that the following tools are not specially created to decrypt the files encrypted by MOLE ransomware, so it may not be 100% effective and may only decrypt a small part of your files.

Have you successfully removed MOLE ransomware and got your files back? If your answer is yes, then we congratulate you. If your answer is no, just don’t be upset. If you fail to remove threat using SpyHunter, you can try contact the tech support and ask them to help you; if you only remove the ransomware but cannot recover your files, please wait for a special decryption tool to appear. Remember, paying the ransom is the last resort.



Share Button

Share Button