What is Napoleon ransomware? And how does it execute its attack?
Napoleon ransomware is a newly discovered ransomware threat on December 4, 2017. After a thorough observation, it seems that this new ransomware is not sophisticatedly created as it is coded poorly by the cyber crooks behind it. Nonetheless, this ransowmare is not to be taken lightly despite being coded weakly as it is still capable of encrypting files. Its code is based on the open source platform known as Hidden Tear. Based on research, Napoleon ransomware is triggered by a Trojan which is associated with another ransomware threat called “Blind”. This crypto malware was first identified on September this year and now, it seems that the code for this threat was modified and released on a new active attack in the form of Napoleon ransomware.
According to experts, Napoleon targets files with the following extensions:
.1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip.
Once it is able to locate these extensions, it will start to encrypt them and append the [[email protected]].napoleon extension at the end of each files’ names. It then proceeds to create data recovery instructions in a file named How_Decrypt_Files.hta which contains the message below:
“Your documents, photos, databases and other important files have been encrypted
cryptographically strong, without the original key recovery is impossible!
To decrypt your files you need to buy the special software – NAPOLEON DECRYPTER
Using another tools could corrupt your files, in case of using third party
software we don’t give guarantees that full recovery is possible so use it on
your own risk.
If you want to restore files, write us to the e-mail: [email protected]
In subject line write encryption and attach your ID in body of your message
also attach to email 3 crypted files. (files have to be less than 2 MB)
It is in your interest to respond as soon as possible to ensure the restoration
of your files, because we wont keep your decryption keys at our server more than
one week in interest of our security.
Only in case you do not receive a response from the first email address
withit 48 hours, please use this alternative email adress: [email protected]’
Your personal identification number: [RANDOM CHARACTERS]”
Based on its ransom note, it’s clear that the crooks behind Napoleon ransomware wants to look trustworthy by offering its victims a free decryption of three files that must not exceed 2MB. Victims are urged to contact the crooks within a week else they will delete the Napoleon decryptor used to recover the encrypted files. No matter how tempting recovering at least three files are, you should know that these crooks can’t be trusted and under no circumstances should you contact and negotiate with them as you’ll only end up losing money for nothing. And besides this would only motivate them to create more ransomware threats. You need not add fuel to the fire and look for ways instead to remove Napoleon ransomware and recover the encrypted files using alternative methods.
How does Napoleon ransomware spread its malicious payload?
Napoleon ransowmare spreads its malicious payload using several distribution techniques like spam emails and fake software or fake software updates. Cyber criminals often disguise both the fake software and the email as something legitimate to entice users into opening them. And once they do, Napoleon ransomware will be installed and launched in the affected computer.
You must not delay the removal of Napoleon ransomware. To terminate it, make use of the removal instructions provided below as well as the recovery option for your encrypted files.
Step1. You have to end Napoleon ransomware’s process first by opening the Task Manager simply by tapping Ctrl + Shift + Esc keys on your keyboard.
Step2. Under the Task Manager, go to the Processes tab and look for any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to Napoleon ransomware.
Step3. After that, close the Task Manager.
Step4. Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step5. Under the list of installed programs, look for Napoleon ransomware or anything similar and then uninstall it.
Step6. Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step7. Navigate to the following locations below and look for Napoleon ransomware’s malicious components such as How_Decrypt_Files.hta as well as other suspicious files and then delete all of them.
Step8. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step10. Navigate to the following path:
Step11. Delete the registry keys and sub-keys created by Napoleon ransomware.
Step12. Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Napoleon ransomware hasn’t deleted the shadow volume copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
It is important to make sure that nothing is left behind and that Napoleon ransomware is completely removed use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.