{
	"id": "e86196d7-7496-48cc-a92a-122fcf22a683",
	"created_at": "2026-04-06T00:09:52.107076Z",
	"updated_at": "2026-04-10T13:12:13.190475Z",
	"deleted_at": null,
	"sha1_hash": "1aa518d33109bd3a0f86b9f246f36a88a8e205a4",
	"title": "Python Ciphering : Delving into Evil Ant’s Ransomware’s Tactics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 789676,
	"plain_text": "Python Ciphering : Delving into Evil Ant’s Ransomware’s Tactics\r\nPublished: 2024-03-20 · Archived: 2026-04-05 18:37:05 UTC\r\nRecently we at K7Labs came across a tweet and analysed the Evil Ant ransomware sample mentioned in the\r\ntweet. \r\nEvil Ant,also a member of ransomware list that employs Python, a versatile and widely used programming\r\nlanguage. This blog describes how this ransomware works and what its features are.\r\nBinary Analysis\r\nEvil Ant ransomware is packed by pyinstaller as shown in Figure 1.\r\nFigure 1: File info (Evil Ant ransomware)\r\nAfter extracting the pyc files from this sample using pyinstxtractor, we were able to locate the potential entry point\r\nindicated in Figure 2. An online decompiler was used to decompile the s13.pyc script.\r\nhttps://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/\r\nPage 1 of 8\n\nFigure 2 : Extracted pyc files\r\nLet’s go through the decompiled s13.pyc script.\r\nThis ransomware hides the console window and runs everything in the background using Windows DLL API,\r\nwhich is shown in Figure 3.\r\nFigure 3 : Hiding the window\r\nFigure 4 shows how it prompts the user to run with administrator privileges. With the use of the ‘runas’ verb along\r\nwith ShellExecuteW API as seen in Figure 5, the program can be relaunched with administrative privilege which\r\nenables the ransomware to carry out  admin privileged tasks like  changing system settings, accessing protected\r\nfiles.\r\nFigure 4 : Checking privilege\r\nhttps://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/\r\nPage 2 of 8\n\nFigure 5 : Pursuing admin privilege\r\nAs shown in Figure 6, to stay undetected, it disables Windows Defender by executing a PowerShell command.\r\nFigure 6 : Disabling windows defender\r\nAlso, this malware verifies that it is not run in a controlled environment by examining the environment variable\r\nPROCESSOR_IDENTIFIER and exits without being , as depicted in Figure 7. If it is executed on the virtual\r\nmachine, it exits without being executed.\r\nFigure 7 : VM identifying function\r\nThe IP and system information are being sent to a Telegram bot through the Telegram API using a bot token and\r\nchannel ID as shown in Figure 8.\r\nFigure 8 : Sending details through Telegram API\r\nEncryption\r\nhttps://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/\r\nPage 3 of 8\n\nThis ransomware uses an auto generated key using Fernet to encrypt the file contents in the victim’s machine.The\r\nMAGIC() method in s13.pyc generates and stores the key in a global variable so that it can be utilised by other\r\nfunctions. Figure 9 illustrates this process.\r\nFigure 9 : Key generation\r\nThe function ALL() helps to enumerate and identify the drives present in the victim’s machine and encrypt all the\r\nfiles under  the mentioned directories as displayed in Figure 10. To encrypt the files under the \u003cUsers\u003e folder  this\r\nmalware gets the current username by using the getlogin() function from the built-in os module in python.\r\nFigure 10 : Function ALL() with target directories\r\nThe function named bak() encrypts all of the backup files ending with .bak extension as shown in Figure 11.\r\nhttps://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/\r\nPage 4 of 8\n\nFigure 11 : Encrypting .bak files\r\nEncryption is being done by Fernet which is a cryptography python library as shown in Figure 12.\r\nFigure 12 : Encryption using Fernet key\r\nThere’s also a function to change the victim machine’s desktop wallpaper which is for seeking the user’s attention\r\nand creating panic about this ransomware execution as shown in Figure 13.\r\nFigure 13 : New wallpaper changed by EvilAnt Ransomware\r\nOnce all this encryption is done, the blue screen will be displayed with a message to pay in bitcoin as shown in\r\nhttps://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/\r\nPage 5 of 8\n\nFigure 14.\r\nFigure 14 : Threatening message display\r\nThe blue screen display shows\r\nA countdown in the upper right corner.\r\n‘how to buy bitcoin’ button, once clicked  it opens the following wikipedia links\r\n‘https://en.wikipedia.org/wiki/Bitcoin’,’https://www.binance.com/en/how-to-buy/bitcoin‘ (It uses the\r\nwebbrowser library from Python to open these links by default)\r\n‘I don’t wanna pay’ button, upon clicking it shows a message box with yes or no question, if the user\r\nclicks yes it shuts down the machine, if the user clicks no it just shows another message box with a\r\nmessage ‘pay fast!’ with the ok button.\r\nThere’s also an input field with ‘unlock me now!’ Button, if the user enters the correct key and clicks the\r\nbutton the decryption will be started\r\nDecryption\r\nThis ransomware also has a function to decrypt the files. But, if the machine is shut down in between during\r\ndecryption, the decryption process fails forever.\r\nAfter paying the ransom, the victim receives an unlock key. An unlock key is hard-coded already by the attacker\r\nin the ransomware sample. The user entered unlock key must match with the hard-coded key to decrypt. The hard-coded key is highlighted in Figure 15.\r\nFigure 15 : Evaluation of user input\r\nhttps://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/\r\nPage 6 of 8\n\nThe unlock() function will use that formerly auto generated Fernet key to decrypt the files. It reads the encrypted\r\nfiles in binary mode and decrypts the data then rewrites the original data into the file as shown in Figure 16.\r\nFigure 16 : Decryption operation\r\nUsers are advised to use reputable security products like K7 Total Security and also regularly update and scan\r\nyour devices to stay safe from such threats. Also keep your devices updated and patched against the latest security\r\nvulnerabilities.\r\nIndicators of Compromise (IOC)\r\nHash Detection Name\r\nac612b8f09ec1f9d87a16873f27e15f0 Trojan ( 0001140e1 )\r\nC2 Address\r\nTelegram_bot_token : 6893451039:AAGMOfYl9-RF8rfOKQUSizMAqvr28TKmgpY\r\nTelegram_channel_id : -1002134979192\r\nTelegram_api_url : https://api[.]telegram[.]org/bot6893451039:AAGMOfYl9-\r\nRF8rfOKQUSizMAqvr28TKmgpY/sendMessage\r\nContact email : evilant.ransomware@gmail.com\r\nhttps://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/\r\nPage 7 of 8\n\nBitcoin address : 3CLUhZqfXmM8VUHhR3zTgQ8wKY72cSn989\r\nSource: https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/\r\nhttps://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/"
	],
	"report_names": [
		"python-ciphering-delving-into-evil-ants-ransomwares-tactics"
	],
	"threat_actors": [],
	"ts_created_at": 1775434192,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1aa518d33109bd3a0f86b9f246f36a88a8e205a4.pdf",
		"text": "https://archive.orkl.eu/1aa518d33109bd3a0f86b9f246f36a88a8e205a4.txt",
		"img": "https://archive.orkl.eu/1aa518d33109bd3a0f86b9f246f36a88a8e205a4.jpg"
	}
}