Napoleon Ransomware DescriptionType: Ransomware
The Napoleon Ransomware is an encryption ransomware Trojan that was first observed on December 4, 2017. The Napoleon Ransomware and similar threats are designed to encrypt the victims' data using a strong encryption algorithm, essentially taking the victim's files hostage. The Napoleon Ransomware will demand a ransom payment in exchange for the decryption key once the victim's files have been made inaccessible. The Napoleon Ransomware is delivered to victims through the use of spam email attachments that may take the form of Microsoft Word documents with corrupted macro scripts that download and install the Napoleon Ransomware onto the victim's computer.
How the Napoleon Ransomware Attack Works
The Napoleon Ransomware is not sophisticated particularly, and seems to have been coded quite poorly. However, the Napoleon Ransomware does carry out a functional encryption ransomware attack that is rooted on HiddenTear, an open source encryption ransomware platform that has been around since August 2015. Since its initial release, HiddenTear has spawned countless ransomware variants, which are relatively easy to create due to HiddenTear's simple availability on the Dark Web. The file types that may be encrypted by the Napoleon Ransomware infection are:
.1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip.
The Napoleon Ransomware renames the files it encrypts, via the addition of the following extension to the file's name:
The Napoleon Ransomware's Ransom Note
The Napoleon Ransomware will deliver its ransom note in the form of an HTA file that appears on the infected computer's desktop after the Napoleon Ransomware finishes encrypting the victim's files. The file, named 'How_Decrypt_Files.hta,' contains the following message:
'Your documents, photos, databases and other important files have been encrypted
cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software - NAPOLEON DECRYPTER
Using another tools could corrupt your files, in case of using third party
software we don't give guarantees that full recovery is possible so use it on
your own risk.
If you want to restore files, write us to the e-mail: email@example.com
In subject line write encryption and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)
It is in your interest to respond as soon as possible to ensure the restoration
of your files, because we wont keep your decryption keys at our server more than
one week in interest of our security.
Only in case you do not receive a response from the first email address
withit 48 hours, please use this alternative email adress: firstname.lastname@example.org'
Your personal identification number: [RANDOM CHARACTERS]'
Unfortunately, despite the fact that the Napoleon Ransomware is clearly the work of amateurs and is not sophisticated particularly, the files encrypted by the Napoleon Ransomware are not recoverable without the decryption key. Because of this, it is important to take preventive measures to ensure that you have file backups on removable devices. The people behind the Napoleon Ransomware attack shouldn't be contacted, and the affected computer users shouldn't attempt to pay the ransom amount. Apart from the fact that this allows cybercrooks to continue financing these attacks, it also is very unlikely that the cybercrooks will help victims recover after the payment is made; they are just as likely to ignore the payment or demand a higher ransom.
File System Details
|#||File Name||MD5||Detection Count|
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.