Napoleon Ransomware

The Napoleon Ransomware is an encryption ransomware Trojan that was first observed on December 4, 2017. The Napoleon Ransomware and similar threats are designed to encrypt the victims' data using a strong encryption algorithm, essentially taking the victim's files hostage. The Napoleon Ransomware will demand a ransom payment in exchange for the decryption key once the victim's files have been made inaccessible. The Napoleon Ransomware is delivered to victims through the use of spam email attachments that may take the form of Microsoft Word documents with corrupted macro scripts that download and install the Napoleon Ransomware onto the victim's computer.

How the Napoleon Ransomware Attack Works

The Napoleon Ransomware is not sophisticated particularly, and seems to have been coded quite poorly. However, the Napoleon Ransomware does carry out a functional encryption ransomware attack that is rooted on HiddenTear, an open source encryption ransomware platform that has been around since August 2015. Since its initial release, HiddenTear has spawned countless ransomware variants, which are relatively easy to create due to HiddenTear's simple availability on the Dark Web. The file types that may be encrypted by the Napoleon Ransomware infection are:

.1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip.

The Napoleon Ransomware renames the files it encrypts, via the addition of the following extension to the file's name:

'.[supp01@airmail.cc].napoleon'

The Napoleon Ransomware’s Ransom Note

The Napoleon Ransomware will deliver its ransom note in the form of an HTA file that appears on the infected computer's desktop after the Napoleon Ransomware finishes encrypting the victim's files. The file, named 'How_Decrypt_Files.hta,' contains the following message:

'Your documents, photos, databases and other important files have been encrypted
cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software - NAPOLEON DECRYPTER
Using another tools could corrupt your files, in case of using third party
software we don't give guarantees that full recovery is possible so use it on
your own risk.

Your personal identification number: [RANDOM CHARACTERS]'

Unfortunately, despite the fact that the Napoleon Ransomware is clearly the work of amateurs and is not sophisticated particularly, the files encrypted by the Napoleon Ransomware are not recoverable without the decryption key. Because of this, it is important to take preventive measures to ensure that you have file backups on removable devices. The people behind the Napoleon Ransomware attack shouldn't be contacted, and the affected computer users shouldn't attempt to pay the ransom amount. Apart from the fact that this allows cybercrooks to continue financing these attacks, it also is very unlikely that the cybercrooks will help victims recover after the payment is made; they are just as likely to ignore the payment or demand a higher ransom.

SpyHunter Detects & Remove Napoleon Ransomware