Pants ransomware – file locking computer infection with a bizarre name

Pants ransomware is a dangerous computer virus that encrypts all files on the compromised machine and then demands a ransom for their retrieval. Discovered in late August 2020, the malware stems from a well-established malware family known as GlobeImposter, which is also known as the Fake Globe. Variants of this ransomware are typically distributed via spam email campaigns that include malicious attachments, although other delivery methods, such as exploits and fake updates, can also be used.
Once installed, the Pants virus would scan the system for susceptible files (usually, non-system and non-executable files) to lock with the help of a combination of encryption algorithms, such as AES + RSA.[1] Suchlike modified data can no longer be accessed and receives .pants extension. Additionally, the malware drops a ransom note fu*ksh*t.html on the desktop, which informs victims that they need to email to BlackMajor@protonmail.com and pay a ransom in Bitcoin if they want to recover their files.
| Name | Pants ransomware |
| Type | File locking virus, crypto-malware |
| Distribution | Spam emails, fake updates, exploits, software cracks, illegal software bundles |
| Family | GlobeImposter ransomware, otherwise known as Fake Globe |
| Extension | Each of the files is appended with .pants market. For example, a file “picture.jpg” is transformed into “picture.jpg.pants,” and can no longer be accessed/viewed by victims |
| Ransom note | fu*ksh*t.html is dropped on the desktop, as well as everywhere where locked files are located |
| Contact | Users are asked to send an email to BlackMajor@protonmail.com and provide the personal ID |
| Data recovery | Unfortunately, new variants of GlobeImposter can not be decrypted if no backups were retained. Security experts advise not to pay ransom, as cybercrimnals are known to keep their promises and send the required decryption software. For alternative file recovery solutions that might work in rare cases, check the recovery section below |
| Malware removal | To eliminate the infection from your computer, perform a full system scan with powerful anti-malware software, such as SpyHunterCombo Cleaner or MalwarebytesMalwarebytes |
| System fix | In case your computer suffers from system crashes, errors, and similar stability issues after the eliminated of ransomware, you should attempt to fix virus damage with tools such as FortectIntego and avoid Windows reinstallation |
There are several ways how Pants ransomware might have accessed your computer and encrypted files, although the payload is typically carried via the contaminated spam email attachment. The campaign authors typically send out thousands of emails by using botnets, although they do not include any text body within. Initially, there is no reason to open the attachment, although many people are curious.
One of the examples carrying the payload of malware was found in the wild under the name of netshield.exe. According to Virus Total, the file is detected under the following names:[2]
- Trojan.Ransom.GlobeImposter
- Win32:Malware-gen
- Globelmposter!656EAB6D9B13
- Ransom:Win32/Filecoder.RB!MSR
- Ransom_FAKEGLOBE.SMB
- A Variant Of Win32/Filecoder.FV. etc.
Once the executable is launched, Pants files virus would run in the background to prepare the machine for the file encryption process. In the background, malware alters the Windows registry, deletes Shadow Volume Copies, and performs other tasks that are invisible for the victim. It was also reported that it could disable some anti-malware tools during this process – this could significantly complicate Pants ransomware removal.
As soon as the system is ready, the cryptovirus begins the encryption process of files. This does not usually last too long on a regular computer, as only a few kilobytes of each file get encrypted. Pants ransomware targets the most commonly-used files, such as MS Office documents, PDF, ZIP, and many others. As a result, the data can no longer be accessed, and .pants extension becomes visible.
If you had no backups, data recovery options are relatively limited, as malware uses sophisticated encryption algorithms in order to encrypt files. Nonetheless, you should remove Pants ransomware before you attempt file recovery – security experts[3] advise avoiding manual elimination and relying on sophisticated anti-malware tools instead. In case ransomware damaged some Windows files and, as a result, you are experiencing computer stability issues, you could attempt fixing them with a repair tool FortectIntego.

.pants virus authors might not send you the required decryptor: here are alternative methods for file recovery
As soon as malware completes the process of file encryption, it will drop a ransom note, which reads:
YOUR PERSONAL ID
YOUR FILES ARE ENCRYPTED!
ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.To recover data you need decryptor.
To get the decryptor you should:
Send 1 test image or text file BlackMajor@protonmail.com.
In the letter include your personal ID (look at the beginning of this document).We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.
Attention!Only BlackMajor@protonmail.com can decrypt your files
Do not trust anyone BlackMajor@protonmail.com
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user's unique encryption key
The main purpose of Pants ransomware virus authors is not to compromise your computer, but rather hold your files hostage. This means that .pants files are not corrupted or damaged but rather locked with a password that is unique to each of the victims. Without that password, otherwise known as a key, there is no guaranteed way of recovering data.
The general misconception that the infected users have about ransomware is that they can get rid of .pants extension either by manually removing it or by scanning their computers with anti-malware software. This could not be further from the truth, however, as security software is designed to eliminate the infection from the computer, but it can not revert the files to their previous state. For this reason, ransomware can be extremely devastating, as it might result in a complete personal data loss.
Nonetheless, if you want your .pants files back, there are several ways that might help you, although the chance of success depends on many factors, and typically is very low. Here are a few options:
- Use third-party recovery software. While these tools are not designed to restore ransomware-encrypted files, they might be able to retrieve working copies from deep within your hard drive. The less you use your computer after the infection, the bigger the chance of success.
- Built-in Windows recovery resources can be an option as well, as long as the virus failed to eliminate Shadow Volume Copies from the system.
- Paying cybercriminals is highly discouraged by most experts, as GlobeImposter developers are known to fail to deliver the required decryption tool even after the payment. Thus, if you pay, you might not only lose your data, but also the money.
Of course, the most secure way of recovering from a ransomware infection is by storing data backups on a separate medium (such as an external hard drive or cloud storage). This way, you will not have to worry about risking thousands of dollars and communicating with the attackers.

Remove Pants ransomware in a correct way
While it is typically advised not to listen to cybercriminals, some of the claims they made in the ransom note are true. For example, an attempt to remove Pants ransomware might compromise the encrypted data (although this is not true in all cases). Nevertheless, it is best to be safe than sorry; so, if you did not have backups ready, you should first make a backup of all the encrypted files. You should also not worry about whether they can spread the infection, since encrypted files do not hold any malicious code inside, so they are safe to transfer.
Once backups are complete, you can perform Pants ransomware removal. Since malware is known to disable anti-malware solutions, you can access Safe Mode with Networking as per instructions below and then performing a scan with SpyHunterCombo Cleaner, MalwarebytesMalwarebytes, or another security program. Only after the infection is removed and the Pants virus eliminated you can proceed with alternative methods of data recovery – you can find guidelines and download links of recovery programs below.
Was this guide helpful?
Be the first to comment