Python Ciphering : Delving into Evil Ant’s Ransomware’s Tactics Published: 2024-03-20 · Archived: 2026-04-05 18:37:05 UTC Recently we at K7Labs came across a tweet and analysed the Evil Ant ransomware sample mentioned in the tweet.  Evil Ant,also a member of ransomware list that employs Python, a versatile and widely used programming language. This blog describes how this ransomware works and what its features are. Binary Analysis Evil Ant ransomware is packed by pyinstaller as shown in Figure 1. Figure 1: File info (Evil Ant ransomware) After extracting the pyc files from this sample using pyinstxtractor, we were able to locate the potential entry point indicated in Figure 2. An online decompiler was used to decompile the s13.pyc script. https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/ Page 1 of 8 Figure 2 : Extracted pyc files Let’s go through the decompiled s13.pyc script. This ransomware hides the console window and runs everything in the background using Windows DLL API, which is shown in Figure 3. Figure 3 : Hiding the window Figure 4 shows how it prompts the user to run with administrator privileges. With the use of the ‘runas’ verb along with ShellExecuteW API as seen in Figure 5, the program can be relaunched with administrative privilege which enables the ransomware to carry out  admin privileged tasks like  changing system settings, accessing protected files. Figure 4 : Checking privilege https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/ Page 2 of 8 Figure 5 : Pursuing admin privilege As shown in Figure 6, to stay undetected, it disables Windows Defender by executing a PowerShell command. Figure 6 : Disabling windows defender Also, this malware verifies that it is not run in a controlled environment by examining the environment variable PROCESSOR_IDENTIFIER and exits without being , as depicted in Figure 7. If it is executed on the virtual machine, it exits without being executed. Figure 7 : VM identifying function The IP and system information are being sent to a Telegram bot through the Telegram API using a bot token and channel ID as shown in Figure 8. Figure 8 : Sending details through Telegram API Encryption https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/ Page 3 of 8 This ransomware uses an auto generated key using Fernet to encrypt the file contents in the victim’s machine.The MAGIC() method in s13.pyc generates and stores the key in a global variable so that it can be utilised by other functions. Figure 9 illustrates this process. Figure 9 : Key generation The function ALL() helps to enumerate and identify the drives present in the victim’s machine and encrypt all the files under  the mentioned directories as displayed in Figure 10. To encrypt the files under the folder  this malware gets the current username by using the getlogin() function from the built-in os module in python. Figure 10 : Function ALL() with target directories The function named bak() encrypts all of the backup files ending with .bak extension as shown in Figure 11. https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/ Page 4 of 8 Figure 11 : Encrypting .bak files Encryption is being done by Fernet which is a cryptography python library as shown in Figure 12. Figure 12 : Encryption using Fernet key There’s also a function to change the victim machine’s desktop wallpaper which is for seeking the user’s attention and creating panic about this ransomware execution as shown in Figure 13. Figure 13 : New wallpaper changed by EvilAnt Ransomware Once all this encryption is done, the blue screen will be displayed with a message to pay in bitcoin as shown in https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/ Page 5 of 8 Figure 14. Figure 14 : Threatening message display The blue screen display shows A countdown in the upper right corner. ‘how to buy bitcoin’ button, once clicked  it opens the following wikipedia links ‘https://en.wikipedia.org/wiki/Bitcoin’,’https://www.binance.com/en/how-to-buy/bitcoin‘ (It uses the webbrowser library from Python to open these links by default) ‘I don’t wanna pay’ button, upon clicking it shows a message box with yes or no question, if the user clicks yes it shuts down the machine, if the user clicks no it just shows another message box with a message ‘pay fast!’ with the ok button. There’s also an input field with ‘unlock me now!’ Button, if the user enters the correct key and clicks the button the decryption will be started Decryption This ransomware also has a function to decrypt the files. But, if the machine is shut down in between during decryption, the decryption process fails forever. After paying the ransom, the victim receives an unlock key. An unlock key is hard-coded already by the attacker in the ransomware sample. The user entered unlock key must match with the hard-coded key to decrypt. The hard-coded key is highlighted in Figure 15. Figure 15 : Evaluation of user input https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/ Page 6 of 8 The unlock() function will use that formerly auto generated Fernet key to decrypt the files. It reads the encrypted files in binary mode and decrypts the data then rewrites the original data into the file as shown in Figure 16. Figure 16 : Decryption operation Users are advised to use reputable security products like K7 Total Security and also regularly update and scan your devices to stay safe from such threats. Also keep your devices updated and patched against the latest security vulnerabilities. Indicators of Compromise (IOC) Hash Detection Name ac612b8f09ec1f9d87a16873f27e15f0 Trojan ( 0001140e1 ) C2 Address Telegram_bot_token : 6893451039:AAGMOfYl9-RF8rfOKQUSizMAqvr28TKmgpY Telegram_channel_id : -1002134979192 Telegram_api_url : https://api[.]telegram[.]org/bot6893451039:AAGMOfYl9- RF8rfOKQUSizMAqvr28TKmgpY/sendMessage Contact email : evilant.ransomware@gmail.com https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/ Page 7 of 8 Bitcoin address : 3CLUhZqfXmM8VUHhR3zTgQ8wKY72cSn989 Source: https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/ https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/ Page 8 of 8