The Pants ransomware is a malicious program belonging to the GlobeImposter family of ransomware. These viruses make data inaccessible through encryption. After encrypting files, Pants generates a ransom note in the form of an HTML file in folders with affected files. The infection is noticeable due to the virus renaming files with the .Pants file extension.
The ransom note is titled "HOW TO DECRYPT YOUR FILES," and it details how files have been encrypted and what victims can do about it. Victims are told that they can send one affected file to an email address to have it decrypted for free. This acts as a test to prove to victims the promised solution works. The cybercriminals will return the decrypted file along with more information on how they can purchase the decryption tool to restore all of their data. The note also warns against the use of antivirus tools and attempting to remove the malware by yourself. Such actions can, allegedly, make it impossible to recover data.
However, it's common for cybercriminals to not offer the decryption tool even after getting the payment from victims. This is why it is recommended that victims never pay the ransom to avoid financial losses.
Instead, you should take steps to remove the virus from your computer first to prevent further infection. It would be best if you used a robust antivirus and anti-malware protection solution to keep your computer safe from Pants and other threats.
How Does Pants Ransomware Get On Computers
Pants ransomware primarily infects computers through spam emails. These emails have infected attachments and links. The ransomware can also get into systems using vulnerabilities in software and the operating system.
Cybercriminals send out emails with forged header information. The emails are designed and written to trick users into believing they come from a legitimate shipping company such as FedEx. The email alerts users to a failed delivery or claims to be a notification about a shipment the reader has made. Either way, victims are encouraged to download a file or follow a link to learn more. Opening the attachment infects the computer with Pants ransomware.
Pants ransomware has also been seen to hack open Remote Desktop Services (RDP) ports. Attackers looker for systems running RDP (TCP port 3389) and try to brute force their way onto those systems.
What Does Pants Ransomware Do?
This variation of Pants ransomware restricts computer access by encrypting files and appending them with a new .pants file extension. The virus then attempts to coerce victims out of money in exchange for a decryption key to restore the data.
The ransomware can attack all versions of Windows from Windows 7 to Windows 10. Pants ransomware checks for specific file extensions to find files to encrypt. It mostly targets productivity documents such as .doc, .docx, and .pdf files. The ransomware changes the file extension of these files to make them inaccessible.
Last but not least, the virus creates a ransom note called "Fuc**hit.html" in folders with encrypted files. Here is what the ransom note says:
YOUR PERSONAL ID
☠ YOUR FILES ARE ENCRYPTED! ☠
ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.
To recover data you need decryptor.
To get the decryptor you should:
Send 1 test image or text file BlackMajor@protonmail.com.
In the letter include your personal ID (look at the beginning of this document).
We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.
Only BlackMajor@protonmail.com can decrypt your files
Do not trust anyone BlackMajor@protonmail.com
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user's unique encryption key
Once the encryption is complete, and the ransom note is dropped, Pants ransomware has one last cruel trick to play; it will delete the Shadow Volume Copies of data from your computer. This step makes it almost impossible for you to recover data without a backup or the decryption key.
Can I Decrypt Files Infected with Pants Ransomware?
Sometimes security companies and government agencies can release public decryption keys for ransomware. It may be possible to find such a public decryptor for your ransomware infection.
However, there is a chance that there is no public decryptor if the ransomware isn't widespread, or there are no vulnerabilities for security researchers to exploit. If you can't find a public decryption key, then it is not possible to restore encrypted data without help from the attackers. Your only chance to get your data back is to use an external backup.
How to Protect Against Ransomware Infections
The best way to protect your computer is to install malware protection. Make regular backups of important data, too, so that you always have a copy if you need it. Practice good digital hygiene by avoiding spam, third-party download sites, and illegal cracking activation tools.