Remove Ishtar Ransomware and Restore ISHTAR- Files

stf-ishtar-ransomware-virus-russian-protonmail-ransom-message-note

A ransomware cryptovirus called Ishtar is encrypting victims’ files over the past few days. The name is that of a Mesopotamian goddess of war and love, but the cybercriminals might have named their malware after the famous Israeli singer. Encrypted files will have the prefix “ISHTAR-“ appearing in the beginning of their names. The ransomware claims to use RSA-2048 and AES-256 for the encryption process. To see how to remove this cryptovirus and how you can try to restore your files, read the whole article.

Threat Summary

NameIshtar Ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware will encrypt your files and then display a ransom note with payment instructions for decryption.
SymptomsYour encrypted files will have the “ISHTAR-“ prefix attached to their filenames.
Distribution MethodSpam Emails, Email Attachments, Executables
Detection Tool See If Your System Has Been Affected by Ishtar Ransomware

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Ishtar Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Ishtar Ransomware – Spread

The Ishtar ransomware virus intrude into your computer system in various ways. One of the ways is via spam email campaigns, spreading the malicious payload file. Such a spam letter is designed to sound critical or hold some unexpected news. While you focus on the attached file, without checking if what you read is the truth or not, you might open it. If opened, the attached file executes the malicious payload, and that will, in turn, infect your computer machine. You can see an example of such a file on the VirusTotal site below:

stf-ishtar-ransomware-virus-total-detections

Ishtar might infect your PC in more ways. The malware creators could spread their files with ease by using social networks and file-sharing platforms. The malicious script might be hosted on one of these services with the goal of infecting more users. When you want to open files from unverified sources, do a scan with a security tool, beforehand. Furthermore, check the signature and size of that file and see if there are any peculiarities. You should read the ransomware preventive tips from our forum thread.

Ishtar Ransomware – Analysis

This ransomware cryptovirus is named Ishtar. It might be named after the famous Israeli singer of the same name or the Mesopotamian goddess of war, power, sex, love and fertility. The ransomware will encrypt your files and then put the prefix ISHTAR- before the names of your locked files. Payment instructions with the demands are written in a text file after the encryption process is finished.

The Ishtar ransomware might create entries in the Windows Registry after its payload is executed, to be persistent. These registry entries are intended to launch the virus automatically with every boot of the Windows operating system. After that, your data becomes encrypted, and the ransom message appears on your desktop. That ransom note is placed inside a file called README-ISHTAR.txt.

You can preview the contents of that file in the picture below:

stf-ishtar-ransomware-virus-russian-protonmail-ransom-message-note

The ransom message reads the following:

# —————————————————————————————————————————-
# ДЛЯ РАСШИФРОВКИ ФАЙЛОВ ОБРАТИТЕСЬ НА ПОЧТУ [email protected]
# ЛИБО НА
# BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 ИСПОЛЬЗУЯ BITMESSAGE DESKTOP ИЛИ https://bitmsg.me/
# —————————————————————————————————————————-
#
# БАЗОВЫЕ ТЕХНИЧЕСКИЕ ДЕТАЛИ:
# > Стандартный порядок шифрования: AES 256 + RSA 2048.
# > Для каждого файла создается уникальный AES ключ.
# > Расшифровка невозможна без файла ISHTAR.DATA (см. директорию %APPDATA%).
#
# —————————————————————————————————————————-

# —————————————————————————————————————————-
# TO DECRYPT YOUR FILES PLEASE WRITE TO [email protected]
# OR TO
# BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/
# —————————————————————————————————————————-
#
# BASIC TECHNICAL DETAILS:
# > Standart encryption routine: AES 256 + RSA 2048.
# > Every AES key is unique per file.
# > Decryption is impossible without ISHTAR.DATA file (see %APPDATA% path).
#
# —————————————————————————————————————————-

As you can see, the ransom message is written in the Russian and English languages. You should NOT, in whatever circumstances, contact the criminals or think about paying them. Nobody can guarantee you that by paying you will be able to recover your data. Also, the cybercriminals probably would use that money for the development of more ransomware viruses.

A list of the different extensions of file types which the Ishtar ransomware encrypts is still not known. The file types which it seeks to encrypt are certainly along the lines of documents, databases, photos and videos.

The ISHTAR- prefix will get attached to the encrypted files. The encryption algorithms which are used are RSA-2048 and AES with 256 bits. At least, that is what the ransomware claims in its ransom message.

The Ishtar ransomware is more than likely to delete the Shadow Volume Copies from the Windows operating system with the following command:

→vssadmin.exe delete shadows /all /Quiet

Read further to see what kind of ways you can try to restore some of your files.

Remove Ishtar Ransomware and Restore ISHTAR- Files

If your computer got infected with the Ishtar ransomware, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Ishtar Ransomware.

Manually delete Ishtar Ransomware from your computer

Note! Substantial notification about the Ishtar Ransomware threat: Manual removal of Ishtar Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Ishtar Ransomware files and objects
2.Find malicious files created by Ishtar Ransomware on your PC

Automatically remove Ishtar Ransomware by downloading an advanced anti-malware program

1. Remove Ishtar Ransomware with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Ishtar Ransomware
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.