Napoleon Bonaparte is well known for conquering large parts of Europe in the early 19th century. Napoleon ransomware looks like it is trying to do the same in the 21st.
CryptoDrop spent part of our winter vacation studying this piece of ransomware. Let’s take a look under the hood together.
Technical Details on Napoleon
Napoleon is believed to be a variant of the Blind family of ransomware. Files on infected machines are encrypted and have their type/extension changed to “.napoleon”. This strain uses AES to encrypt files on the infected machine, and previous weaknesses in the Blind family that allowed for victims to decrypt without paying seem to have been addressed.
Our tests of Napoleon also exhibited no outbound DNS resolutions, meaning that network-based defenses are unlikely to help.
Bottom line: Prevention is the only defense against Napoleon.
Communications and Network Behavior
Unlike many other recent samples of ransomware, Napoleon does not rely on the use of Tor hidden services (a.k.a. “The Dark Web”) to hide the activities of its administrators. Instead, this ransomware makes use of two different anonymous email services: airmail.cc and cock.li.
Airmail.cc is a free, read-only email service that bills itself as a free and easy means of performing account sign-up without giving up your real email address. As such, it is not possible to send emails using this service. Airmail.cc randomly generates addresses and has no passwords. Instead, users simply go to the page and bookmark their account, which attempts to refresh every few seconds. If a user navigates away from the site for more than 24 hours, the service deletes all.
That’s a fairly precarious way to set up a payment network – failure to refresh or a lack of login means that payment requests may be lost. Still, the authors of this ransomware appear to be having no problem finding vulnerable machines.
The administrators of Napoleon also offer a back-up email address at the domain cock.li, “[o]nly in case you do not receive a response from the first email address witit [sic] 48 hours”. Cock.li has been used for anonymous communications in the past, including fake bomb threats against Los Angeles County and New York Public schools. That doesn’t mean that this website doesn’t have legitimate uses; rather, that it has regularly been the subject of subpoena and is still being used by adversaries for bad behavior.
Either way, you’re unlikely to be able to track down who is responsible for Napoleon any time soon.
CryptoDrop to the Rescue
As always, we ran this piece of ransomware against CrytoDrop. And again, as always, CryptoDrop detected Napoleon and stopped it before it could do much damage. Specifically, our Free version detected Napoleon after it encrypted 15 files. Our Fast Recovery Edition restored all of those files in about one second.
Napoleon Bonaparte was ultimately stopped by a coordinated defense (with the help of a cold, Russian winter). Protect yourself against ransomware with the same thing (but please, skip the frostbite). Grab a copy of CryptoDrop today! We Stop Ransomware!