A new variant of Blind ransomware carrying a .napoleon extension and that is being delivered via hacked internet information services (ISS) servers is now operating in the wild.
Malwarebytes Labs reported that while it is not 100 percent certain how the ransomware, which is beig called Napoleon, is being distributed the initial clues point toward it being spread manually by dropping and deploying on hacked computers most likely through ISS. An ISS is is an extensible web server created by Microsoft for use with the Windows NT family.
Malwarebytes said this form of distribution is neither popular nor efficient, but it has been used in the past with DMALocker and LeChiffre ransomware. More recently hacked ISS servers were used to mine the Monero cryptocurrency.
The upgrades included with Napoleon include eliminating the cache file that in previous instances could be used to decrypt the files and the attackers created a new graphic user interface. Napoleon also has the victim contact the attacker through an email instead of using a Tor-based website. Malwarebytes believes this means the attacker only intended to run a small campaign.
An attack follows a pretty straight path.
“First, the ransomware checks the privileges with which it runs. If it has sufficient privileges, it deletes shadow copies. Then, it closes processes related to databases—Oracle and SQL Server—so that they will not block access to the database files it wants to encrypt. Next, it goes through the disks and encrypts found files. At the end, it pops up the dropped ransom note in HTA format,” Malwarebytes said.
The malware attacks and encrypts every file it can reach skipping only those with a .napoleon extension and all the files are encrypted with the same key, but the initialization vector is different for each one.
The good news is Napoleon is unlikely to become widely used, however, due to the encryption being used there is no way to release the locked files without the key.