Napoleon – New Version Of Blind Ransomware

A new variant of the Blind ransomware, known as Napoleon, has been observed using a manual attack vector to compromise systems. Unlike Blind, which targeted user-generated files, Napoleon will encrypt all local and remote files.

It is suspected that Napoleon is distributed by Internet Information Services (IIS), a Microsoft web page server. This is not a particularly effective delivery mechanism and as such is less commonly used; however, this may make Napoleon more difficult to detect.

Once installed, Napoleon checks its privileges and, if high enough, deletes Volume Shadow Copies. It then closes all Oracle and SQL Server related processes to ensure it can encrypt database files before scanning the system for remote drives. Files are encrypted with a .napoleon extension using AES cipher block chaining. A ransom note in HTA format is then placed in each folder stating that files can be decrypted by purchasing a special decrypter, although it is highly likely that this offer is false, and files are unrecoverable.

The ransomware enumerates all the logical drives in the system and adds them into a target list. It attacks both fixed and remote drives.

Affected Platforms

Microsoft Windows – All Versions

The ransom note is in HTA format and looks like this: