Remove Ishtar Ransomware and Restore ISHTAR- Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove Ishtar Ransomware and Restore ISHTAR- Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Ishtar Ransomware and other threats.
Threats such as Ishtar Ransomware may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

stf-ishtar-ransomware-virus-russian-protonmail-ransom-message-note

A ransomware cryptovirus called Ishtar is encrypting victims’ files over the past few days. The name is that of a Mesopotamian goddess of war and love, but the cybercriminals might have named their malware after the famous Israeli singer. Encrypted files will have the prefix “ISHTAR-“ appearing in the beginning of their names. The ransomware claims to use RSA-2048 and AES-256 for the encryption process. To see how to remove this cryptovirus and how you can try to restore your files, read the whole article.

Threat Summary

NameIshtar Ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware will encrypt your files and then display a ransom note with payment instructions for decryption.
SymptomsYour encrypted files will have the “ISHTAR-“ prefix attached to their filenames.
Distribution MethodSpam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by Ishtar Ransomware

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Ishtar Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Ishtar Ransomware – Spread

The Ishtar ransomware virus intrude into your computer system in various ways. One of the ways is via spam email campaigns, spreading the malicious payload file. Such a spam letter is designed to sound critical or hold some unexpected news. While you focus on the attached file, without checking if what you read is the truth or not, you might open it. If opened, the attached file executes the malicious payload, and that will, in turn, infect your computer machine. You can see an example of such a file on the VirusTotal site below:

stf-ishtar-ransomware-virus-total-detections

Ishtar might infect your PC in more ways. The malware creators could spread their files with ease by using social networks and file-sharing platforms. The malicious script might be hosted on one of these services with the goal of infecting more users. When you want to open files from unverified sources, do a scan with a security tool, beforehand. Furthermore, check the signature and size of that file and see if there are any peculiarities. You should read the ransomware preventive tips from our forum thread.

Ishtar Ransomware – Analysis

This ransomware cryptovirus is named Ishtar. It might be named after the famous Israeli singer of the same name or the Mesopotamian goddess of war, power, sex, love and fertility. The ransomware will encrypt your files and then put the prefix ISHTAR- before the names of your locked files. Payment instructions with the demands are written in a text file after the encryption process is finished.

The Ishtar ransomware might create entries in the Windows Registry after its payload is executed, to be persistent. These registry entries are intended to launch the virus automatically with every boot of the Windows operating system. After that, your data becomes encrypted, and the ransom message appears on your desktop. That ransom note is placed inside a file called README-ISHTAR.txt.

You can preview the contents of that file in the picture below:

stf-ishtar-ransomware-virus-russian-protonmail-ransom-message-note

The ransom message reads the following:

# —————————————————————————————————————————-
# ДЛЯ РАСШИФРОВКИ ФАЙЛОВ ОБРАТИТЕСЬ НА ПОЧТУ [email protected]
# ЛИБО НА
# BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 ИСПОЛЬЗУЯ BITMESSAGE DESKTOP ИЛИ https://bitmsg.me/
# —————————————————————————————————————————-
#
# БАЗОВЫЕ ТЕХНИЧЕСКИЕ ДЕТАЛИ:
# > Стандартный порядок шифрования: AES 256 + RSA 2048.
# > Для каждого файла создается уникальный AES ключ.
# > Расшифровка невозможна без файла ISHTAR.DATA (см. директорию %APPDATA%).
#
# —————————————————————————————————————————-

# —————————————————————————————————————————-
# TO DECRYPT YOUR FILES PLEASE WRITE TO [email protected]
# OR TO
# BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/
# —————————————————————————————————————————-
#
# BASIC TECHNICAL DETAILS:
# > Standart encryption routine: AES 256 + RSA 2048.
# > Every AES key is unique per file.
# > Decryption is impossible without ISHTAR.DATA file (see %APPDATA% path).
#
# —————————————————————————————————————————-

As you can see, the ransom message is written in the Russian and English languages. You should NOT, in whatever circumstances, contact the criminals or think about paying them. Nobody can guarantee you that by paying you will be able to recover your data. Also, the cybercriminals probably would use that money for the development of more ransomware viruses.

A list of the different extensions of file types which the Ishtar ransomware encrypts is still not known. The file types which it seeks to encrypt are certainly along the lines of documents, databases, photos and videos.

The ISHTAR- prefix will get attached to the encrypted files. The encryption algorithms which are used are RSA-2048 and AES with 256 bits. At least, that is what the ransomware claims in its ransom message.

The Ishtar ransomware is more than likely to delete the Shadow Volume Copies from the Windows operating system with the following command:

→vssadmin.exe delete shadows /all /Quiet

Read further to see what kind of ways you can try to restore some of your files.

Remove Ishtar Ransomware and Restore ISHTAR- Files

If your computer got infected with the Ishtar ransomware, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Ishtar Ransomware.

Note! Your computer system may be affected by Ishtar Ransomware and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Ishtar Ransomware.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Ishtar Ransomware follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Ishtar Ransomware files and objects
2. Find files created by Ishtar Ransomware on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Ishtar Ransomware

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...