Summary
Netskope Threat Labs recently analyzed a new ransomware strain named Evil Ant. Evil Ant ransomware is a Python-based malware compiled using PyInstaller that looks to encrypt all files stored on the victim’s personal folders and external drives. This ransomware strain requires process continuity from encryption until file recovery. Rebooting, shutting down, or ending the ransomware process will make affected files unrecoverable. Based on our analysis, Evil Ant is still in its early stages and is primarily targeting consumers at present. Victims of the Evil Ant ransomware variant can also, as of this blog publishing, recover their files without payment as the decryption key is hardcoded into the malware in cleartext format.
The following is a summary of the Evil Ant ransomware execution flow:
- The Evil Ant ransomware starts by hiding the process console, and in certain variants it triggers a beeping sound upon execution.
- Evil Ant verifies if it runs with admin privileges. If not, it restarts its process and prompts the user for elevated permissions.
- Evil Ant disables the victim’s Windows Defender Antivirus and Task Manager to ensure successful encryption.
- Evil Ant collects the victim’s public IP address.
- Evil Ant then encrypts all files inside specific target folde