Using an older version of ransomware source code to develop a somewhat more powerful strain is nothing new in the world of cybercrime. In fact, most types of ransomware are all clones of other families, with a few different twists and features. Mole ransomware is one of the newer strains researchers have discovered, even though it is a clear “copy” of CryptoMix. That doesn’t make it less dangerous, though.
Mole Ransomware Can Become A Big Problem
Security researchers were quick to point out that, while Mole may appear to be a new ransomware type, it really isn’t. To be more specific, they uncovered it shares a lot of similarities with CryptoMix ransomware types, including Revenge and CryptoShield. That being said, every clone of the original has added some new features, and Mole is no different in this regard.
As we have grown accustomed to these days, Mole ransomware is distributed through massive spam email campaigns. All of these emails pertain to alleged shipping notifications, although customers have probably never ordered anything that would be shipped through USPS. Then again, the email looks somewhat convincing, since it pertains to a delivery regarding a specific parcel. Once the recipient tracks the parcel number through the regular website, however, nothing will show up.
The email itself contains a hyperlink for users to click, which will trigger the ransomware payload distribution. Users are redirected to a fake Word document displaying an unreadable file which requires a specific plugin to be translated properly. Installing the plugin effectively results in installing the Mole ransomware on the target computer. Rest assured there will be some people who fall for these obvious scams regardless of how obviously fake the whole ordeal is.
Once the Mole ransomware is installed on the computer, it will immediately start the file encryption process. In fact, it is quite creative in this regard, as users will first see a fake alert on the desktop. Once the user clicks “OK” the ransomware itself will receive administrator privileges. That situation needs to be avoided at all costs, as it will only make the infection even more potent.
Speaking of file encryption, Mole uses AES-256 encryption to go about its business. Moreover, file encryption key is encrypted with this AES-1024 public encryption as well. As one would expect from malicious software these days, Mole has no plans to let victims off the hook easily. All Windows Shadow Volume Copies will be deleted and Windows startup recovery will be disabled automatically. This means recovering data from a previous backup will be virtually impossible, assuming the ransomware has been granted administrator privileges.
The ransom note forces users to contact the Mole developers with their unique decryption ID. Payment instructions will be delivered at a later date, and it appears as if the requested ransom is randomly determined for every individual victim. It remains to be seen if security researchers can come up with a convenient solution to get rid of Mole ransomware, but for now, there is no way to get rid of this malicious software without taking a data loss or paying the ransom in bitcoin.
If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.