Cyber Security Center

How to remove Pants ransomware


Pants ransomware is file-encrypting malware from the GlobeImposter ransomware family. It adds the .pants file extension to encrypted files (e.g. image.jpg -> image.jpg.pants), and drops the fuc**hit.html ransom note.

 

Ransomware image 2Pants ransomware is a dangerous piece of malware that encrypt files and demands that users pay for their decryption. It’s a pretty standard ransomware, and is one of the members of the infamous GlobeImposter family. Encrypted files will have the .pants file extension added to them, hence why this malware is named Pants ransomware. Once it has encrypted all files, it then drops a HTML ransom note, which if clicked opens the note in the browser. The note explains that files have been encrypted, and that to recover them victims need to send BlackMajor@protonmail.com an email. The price for the decryptor is not specified in the ransom note, it would be revealed once victims email the cyber crooks behind this ransomware. Ransomware usually demand somewhere between $100 and $1000.

But when it comes to ransomware, paying the ransom is not a good idea. There is always a chance that cyber crooks behind this ransomware will not send a decryptor, or will send a non-working one. It has happened many times in the past, and users ended up losing both their money and their files.

Via backup is the only sure way to recover files. This is why it’s so crucial that users regularly back up files. If users do have backup, it’s very important that they first remove Pants ransomware and only then connect to backup. Otherwise, files in backup may become encrypted as well.

For users who do not have backup, waiting for malware researchers to release a free decryption tool is an option. Emsisoft has released a decryptor for GlobeImposter, and one for Pants ransomware could be released as well.

Ransomware distribution methods

The majority of ransomware generally use the same distribution methods, which include email attachments, torrents, software cracks, and system vulnerabilities.

Users who download pirated content via torrents are not only essentially stealing content but also putting their computers in danger. Torrent sites are often unregulated, meaning cyber crooks can easily disguise their ransomware as a torrent for something popular, like a movie, game or program. Same goes for software cracks. If users want to avoid infecting their computers with ransomware, they should avoid using torrents for copyrighted content downloads.

Installing updates may seem like a minor thing but it’s actually very important, as they patch known vulnerabilities which malware can use to infiltrate a system. The WannaCry ransomware attack was so widespread because many systems did not have an important update installed. Whenever possible, users should enable automatic updates.

Finally, perhaps the most common way ransomware is distributed is via email attachments. Cyber criminals purchase hundreds of email addresses from hacker forums and use them to launch a spam campaign that distributes ransomware. The emails are usually recognizable because they are sent from nonsense email addresses, contain loads of grammar and spelling mistakes, and just generally seem off. It’s generally recommended to always scan email attachments with anti-malware software or VirusTotal before opening them to ensure they are safe.

Overall, users who have good browsing habits have less chance of picking up some kind of malware as they are more careful.

What does Pants ransomware do?

When the ransomware launches, it will start encrypting files. The files that are usually targeted include photos, videos, documents, etc., as they are the files users are most willing to pay for. Encrypted files will have the .pants file extension added. For example, a file named image.jpg would become image.jpg.pants. Once file encryption is complete, it drop as HTML ransom note. The note explains that the only way to recover files would be to buy their decryptor. Like it was mentioned above, the requested sum is not mentioned and would likely be specified if victims were to email BlackMajor@protonmail.com.

Here’s the full Pants ransomware ransom note:

YOUR PERSONAL ID

ENGLISH
YOUR FILES ARE ENCRYPTED!
ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.

To recover data you need decryptor.
To get the decryptor you should:
Send 1 test image or text file BlackMajor@protonmail.com.
In the letter include your personal ID (look at the beginning of this document).

We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.
Attention!

Only BlackMajor@protonmail.com can decrypt your files
Do not trust anyone BlackMajor@protonmail.com
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user’s unique encryption key

Victims are usually discouraged from paying the ransom, whatever the sum may be. There are two reasons for this. Firstly, there are no guarantees that files will be decrypted because the people behind this ransomware are cyber criminals who will not necessarily feel any kind of obligation to help victims. Second, by paying, victims are essentially encouraging cyber crooks to continue their malicious activities as ransomware becomes a profitable business for them.

For users who have no backup and no way to recover files, the only option is to wait for a free decryptor to become available. NoMoreRansom is a good source for decryptors. It should be mentioned that cyber crooks have started disguising malware as ransomware decryptors so it is very important to only download these tools from safe sources. Until a decryptor becomes available, victims should remove the ransomware, back up encrypted files and wait.

Pants ransomware removal

Victims should only remove Pants ransomware using anti-malware software. Since ransomware is a complex infection, dealing with it manually is not a good idea, as inexperienced users may end up doing more damage. Instead, users should use anti-malware for Pants ransomware removal. Unfortunately, removing the ransomware does not mean files will be decrypted. That can only be done with a special decryptor. Once the ransomware is no longer present, users can start recovering files from backup.

Pants ransomware is detected as:

  • A Variant Of Win32/Filecoder.FV by ESET
  • HEUR:Trojan.Win32.Generic by Kaspersky
  • Ransom:Win32/Filecoder.RB!MSR by Microsoft
  • Ransom.GlobeImposter by Malwarebytes
  • Win32:Malware-gen by Avast/AVG
  • Globelmposter!656EAB6D9B13 by McAfee