Summary
Netskope Threat Labs recently analyzed a new ransomware strain named Evil Ant. Evil Ant ransomware is a Python-based malware compiled using PyInstaller that looks to encrypt all files stored on the victim’s personal folders and external drives. This ransomware strain requires process continuity from encryption until file recovery. Rebooting, shutting down, or ending the ransomware process will make affected files unrecoverable. Based on our analysis, Evil Ant is still in its early stages and is primarily targeting consumers at present. Victims of the Evil Ant ransomware variant can also, as of this blog publishing, recover their files without payment as the decryption key is hardcoded into the malware in cleartext format.
The following is a summary of the Evil Ant ransomware execution flow:
- The Evil Ant ransomware starts by hiding the process console, and in certain variants it triggers a beeping sound upon execution.
- Evil Ant verifies if it runs with admin privileges. If not, it restarts its process and prompts the user for elevated permissions.
- Evil Ant disables the victim’s Windows Defender Antivirus and Task Manager to ensure successful encryption.
- Evil Ant collects the victim’s public IP address.
- Evil Ant then encrypts all files inside specific target folders as well as files with the .bak extension.
- After encryption, it will show a ransom note containing payment options and an input for the victim to type in the decryption key provided by the attacker.
- If the victim obtains the decryption key and uses it, it will begin the decryption of all affected files.
Analysis
Netskope Threat Labs analyzed several Evil Ant ransomware samples in the wild and observed that they are all almost identical with just a few variations. Some samples analyzed start by hiding the Python console window using Windows API ShowWindow from User32 dll.
Meanwhile, some Evil Ant variants start their infection with a beeping sound using Python’s winsound module. It sounds for a short period of time at 2,500 Hz. Since it was not used elsewhere, we assume this specific function was meant for the victim.