Remove Ishtar Ransomware and Restore ISHTAR- Files - How to, Technology and PC Security Forum |

Remove Ishtar Ransomware and Restore ISHTAR- Files


A ransomware cryptovirus called Ishtar is encrypting victims’ files over the past few days. The name is that of a Mesopotamian goddess of war and love, but the cybercriminals might have named their malware after the famous Israeli singer. Encrypted files will have the prefix “ISHTAR-“ appearing in the beginning of their names. The ransomware claims to use RSA-2048 and AES-256 for the encryption process. To see how to remove this cryptovirus and how you can try to restore your files, read the whole article.

Threat Summary

NameIshtar Ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware will encrypt your files and then display a ransom note with payment instructions for decryption.
SymptomsYour encrypted files will have the “ISHTAR-“ prefix attached to their filenames.
Distribution MethodSpam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by Ishtar Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Ishtar Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Ishtar Ransomware – Spread

The Ishtar ransomware virus intrude into your computer system in various ways. One of the ways is via spam email campaigns, spreading the malicious payload file. Such a spam letter is designed to sound critical or hold some unexpected news. While you focus on the attached file, without checking if what you read is the truth or not, you might open it. If opened, the attached file executes the malicious payload, and that will, in turn, infect your computer machine. You can see an example of such a file on the VirusTotal site below:


Ishtar might infect your PC in more ways. The malware creators could spread their files with ease by using social networks and file-sharing platforms. The malicious script might be hosted on one of these services with the goal of infecting more users. When you want to open files from unverified sources, do a scan with a security tool, beforehand. Furthermore, check the signature and size of that file and see if there are any peculiarities. You should read the ransomware preventive tips from our forum thread.

Ishtar Ransomware – Analysis

This ransomware cryptovirus is named Ishtar. It might be named after the famous Israeli singer of the same name or the Mesopotamian goddess of war, power, sex, love and fertility. The ransomware will encrypt your files and then put the prefix ISHTAR- before the names of your locked files. Payment instructions with the demands are written in a text file after the encryption process is finished.

The Ishtar ransomware might create entries in the Windows Registry after its payload is executed, to be persistent. These registry entries are intended to launch the virus automatically with every boot of the Windows operating system. After that, your data becomes encrypted, and the ransom message appears on your desktop. That ransom note is placed inside a file called README-ISHTAR.txt.

You can preview the contents of that file in the picture below:


The ransom message reads the following:

# —————————————————————————————————————————-
# —————————————————————————————————————————-
# > Стандартный порядок шифрования: AES 256 + RSA 2048.
# > Для каждого файла создается уникальный AES ключ.
# > Расшифровка невозможна без файла ISHTAR.DATA (см. директорию %APPDATA%).
# —————————————————————————————————————————-

# —————————————————————————————————————————-
# —————————————————————————————————————————-
# > Standart encryption routine: AES 256 + RSA 2048.
# > Every AES key is unique per file.
# > Decryption is impossible without ISHTAR.DATA file (see %APPDATA% path).
# —————————————————————————————————————————-

As you can see, the ransom message is written in the Russian and English languages. You should NOT, in whatever circumstances, contact the criminals or think about paying them. Nobody can guarantee you that by paying you will be able to recover your data. Also, the cybercriminals probably would use that money for the development of more ransomware viruses.

A list of the different extensions of file types which the Ishtar ransomware encrypts is still not known. The file types which it seeks to encrypt are certainly along the lines of documents, databases, photos and videos.

The ISHTAR- prefix will get attached to the encrypted files. The encryption algorithms which are used are RSA-2048 and AES with 256 bits. At least, that is what the ransomware claims in its ransom message.

The Ishtar ransomware is more than likely to delete the Shadow Volume Copies from the Windows operating system with the following command:

→vssadmin.exe delete shadows /all /Quiet

Read further to see what kind of ways you can try to restore some of your files.

Remove Ishtar Ransomware and Restore ISHTAR- Files

If your computer got infected with the Ishtar ransomware, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Ishtar Ransomware.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share