Keypoints
- Evil Ant is a Python-based ransomware compiled with PyInstaller that targets user directories and external drive roots, encrypting all files in target folders including .bak files.
- It uses the Fernet symmetric cryptography library to generate an encryption key, encrypt file contents in-place, and—by default—does not persist the key externally, making files unrecoverable if the process is terminated.
- The malware attempts to gain administrative privileges (via ShellExecute/UAC), disables Windows Defender real-time protection (via PowerShell or registry modification), and disables Task Manager by editing registry keys.
- Evil Ant collects the victim’s public IP using httpbin.org and transmits it to the attacker via Telegram API; variants also send a “new attack is done…” message to the actor.
- After encryption it presents a tkinter-based GUI ransom note with an input for a decryption key and contains a decryption routine that uses the same Fernet key if provided.
- Some variants change the wallpaper, play a beeping sound at execution, and will forcibly shut down the system if a victim refuses to pay—causing loss of the in-memory key and permanent data loss.
- Current samples contain a hardcoded decryption key in cleartext and include several identifiable IOCs (hashes, bitcoin address, email, Telegram bot token and channel), indicating the family is still in development.
MITRE Techniques
- [T1564] Hide Artifacts – Hides the Python console window using Windows API ShowWindow to reduce visibility ( ‘start by hiding the process console’ / ‘hiding the Python console window using Windows API ShowWindow’ ).
- [T1548] Abuse Elevation Control Mechanism – Attempts to obtain administrative privileges and restarts the executable with elevated rights using ShellExecute, prompting a UAC dialog ( ‘Evil Ant verifies if it runs with admin privileges… it restarts its process and prompts the user for elevated permissions.’ ).
- [T1562.001] Impair Defenses: Disable or Modify Tools – Disables Windows Defender real-time monitoring via PowerShell or sets DisableAntiSpyware in the registry on Windows 7 before encryption ( ‘attempts to disable Windows Defender… spawn Powershell and disable real-time monitoring’ ).
- [T1112] Modify Registry – Disables Task Manager by editing system registry keys through Python’s winreg module to prevent process termination ( ‘will disable the victim’s Task Manager… by modifying the system registry key using Python’s winreg module.’ ).
- [T1071.001] Application Layer Protocol: Web Protocols – Collects the victim’s public IP via an HTTP GET to httpbin.org and sends it to the attacker over Telegram API ( ‘send it to the attacker using Telegram… sends an HTTP GET request using the requests module to httpbin.org to collect the victim’s public IP address’ ).
- [T1486] Data Encrypted for Impact – Encrypts files (including backup .bak files) in targeted user folders and external drive roots using the Fernet symmetric encryption library, overwriting original files ( ‘reads the content of the file, encrypts them, then overwrites the original file with the encrypted data.’ ).
- [T1490] Inhibit System Recovery – Does not delete shadow copies but encrypts backup files and keeps the Fernet key only in memory (not persisted), making files unrecoverable if the ransomware process stops ( ‘did not store the Fernet key outside from the executable… make files unrecoverable in case the ransomware process stops unexpectedly’ ).
- [T1497] Virtualization/Sandbox Evasion – Attempts to detect sandboxed/virtualized analysis by searching for virtualization strings in the PROCESSOR_IDENTIFIER environment variable (faulty check) ( ‘searching for virtualization solution strings in the victim’s “PROCESSOR_IDENTIFIER” environment variable’ ).
Indicators of Compromise
- [MD5] Sample hashes – 06115323d1ce04a47c443ef4e7dd6eed, DFDE9E46392DD3C0FFBA3A238D2F3244, and 2 more hashes
- [SHA256] Sample hashes – 8dd86c621f642de4f221a01bae2c4df88994717fcedd12728f51776d99bfddf9, 0A5C6F29889BF486091AB4CEE5918B83…, and 2 more hashes
- [Bitcoin address] Ransom payment address – 3CLUhZqfXmM8VUHhR3zTgQ8wKY72cSn989
- [Contact email] Attacker contact – evilant[.]ransomware@gmail[.]com
- [Telegram] C2/notification details – bot token 6893451039:AAGMOfYl9-RF8rfOKQUSizMAqvr28TKmgpY, channel id -1002134979192, and API URL https://api[.]telegram[.]org/bot6893451039:AAGMOfYl9-RF8rfOKQUSizMAqvr28TKmgpY/sendMessage
Evil Ant is delivered as a PyInstaller-packed Python executable that begins execution by hiding its console and, in some variants, playing a short 2,500 Hz beep. It checks for administrative privileges using IsUserAnAdmin and, if not elevated, relaunches itself via ShellExecute to trigger a UAC prompt; successful elevation enables subsequent actions such as running PowerShell commands or modifying registry keys to disable Windows Defender (or set DisableAntiSpyware on Windows 7) and to disable Task Manager via Python’s winreg. The malware collects the victim’s public IP by issuing an HTTP GET to httpbin.org and forwards that information to the attacker through the Telegram API using an embedded bot token and channel ID.
For file impact, Evil Ant recursively targets directories under the Users profile and the root of attached external drives, encrypting all files it encounters (including .bak files) with Fernet symmetric encryption: it generates a key via Fernet.generate_key(), stores it in a global runtime variable, reads file contents, writes the encrypted data back in-place, and does not persist the key to disk—so terminating the process or rebooting will typically render data unrecoverable. After encryption the binary displays a tkinter-based ransom GUI that accepts a decryption key; the same Fernet mechanism is implemented for decryption, and variants will re-enable previously disabled features and notify the attacker via Telegram once decryption is performed.
Notable implementation flaws in current samples indicate an early-stage family: researchers found a hardcoded decryption key in cleartext within the executable (allowing recovery without payment) and a faulty sandbox-evasion check that searches the PROCESSOR_IDENTIFIER environment variable for virtualization strings. IOCs available from analyzed samples include multiple MD5/SHA256 hashes, a bitcoin address, contact email, and Telegram credentials that can be used to detect and block this threat.
Read more: https://www.netskope.com/blog/netskope-threat-coverage-evil-ant-ransomware