A ransomware cryptovirus called Ishtar is encrypting victims’ files over the past few days. The name is that of a Mesopotamian goddess of war and love, but the cybercriminals might have named their malware after the famous Israeli singer. Encrypted files will have the prefix “ISHTAR-“ appearing in the beginning of their names. The ransomware claims to use RSA-2048 and AES-256 for the encryption process. To see how to remove this cryptovirus and how you can try to restore your files, read the whole article.
|Short Description||The ransomware will encrypt your files and then display a ransom note with payment instructions for decryption.|
|Symptoms||Your encrypted files will have the “ISHTAR-“ prefix attached to their filenames.|
|Distribution Method||Spam Emails, Email Attachments, Executables|
|Detection Tool|| See If Your System Has Been Affected by Ishtar Ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Ishtar Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Ishtar Ransomware – Spread
The Ishtar ransomware virus intrude into your computer system in various ways. One of the ways is via spam email campaigns, spreading the malicious payload file. Such a spam letter is designed to sound critical or hold some unexpected news. While you focus on the attached file, without checking if what you read is the truth or not, you might open it. If opened, the attached file executes the malicious payload, and that will, in turn, infect your computer machine. You can see an example of such a file on the VirusTotal site below:
Ishtar might infect your PC in more ways. The malware creators could spread their files with ease by using social networks and file-sharing platforms. The malicious script might be hosted on one of these services with the goal of infecting more users. When you want to open files from unverified sources, do a scan with a security tool, beforehand. Furthermore, check the signature and size of that file and see if there are any peculiarities. You should read the ransomware preventive tips from our forum thread.
Ishtar Ransomware – Analysis
This ransomware cryptovirus is named Ishtar. It might be named after the famous Israeli singer of the same name or the Mesopotamian goddess of war, power, sex, love and fertility. The ransomware will encrypt your files and then put the prefix ISHTAR- before the names of your locked files. Payment instructions with the demands are written in a text file after the encryption process is finished.
The Ishtar ransomware might create entries in the Windows Registry after its payload is executed, to be persistent. These registry entries are intended to launch the virus automatically with every boot of the Windows operating system. After that, your data becomes encrypted, and the ransom message appears on your desktop. That ransom note is placed inside a file called README-ISHTAR.txt.
You can preview the contents of that file in the picture below:
The ransom message reads the following:
# ДЛЯ РАСШИФРОВКИ ФАЙЛОВ ОБРАТИТЕСЬ НА ПОЧТУ firstname.lastname@example.org
# ЛИБО НА
# BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 ИСПОЛЬЗУЯ BITMESSAGE DESKTOP ИЛИ https://bitmsg.me/
# БАЗОВЫЕ ТЕХНИЧЕСКИЕ ДЕТАЛИ:
# > Стандартный порядок шифрования: AES 256 + RSA 2048.
# > Для каждого файла создается уникальный AES ключ.
# > Расшифровка невозможна без файла ISHTAR.DATA (см. директорию %APPDATA%).
# TO DECRYPT YOUR FILES PLEASE WRITE TO email@example.com
# OR TO
# BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/
# BASIC TECHNICAL DETAILS:
# > Standart encryption routine: AES 256 + RSA 2048.
# > Every AES key is unique per file.
# > Decryption is impossible without ISHTAR.DATA file (see %APPDATA% path).
As you can see, the ransom message is written in the Russian and English languages. You should NOT, in whatever circumstances, contact the criminals or think about paying them. Nobody can guarantee you that by paying you will be able to recover your data. Also, the cybercriminals probably would use that money for the development of more ransomware viruses.
A list of the different extensions of file types which the Ishtar ransomware encrypts is still not known. The file types which it seeks to encrypt are certainly along the lines of documents, databases, photos and videos.
The ISHTAR- prefix will get attached to the encrypted files. The encryption algorithms which are used are RSA-2048 and AES with 256 bits. At least, that is what the ransomware claims in its ransom message.
The Ishtar ransomware is more than likely to delete the Shadow Volume Copies from the Windows operating system with the following command:
→vssadmin.exe delete shadows /all /Quiet
Read further to see what kind of ways you can try to restore some of your files.
Remove Ishtar Ransomware and Restore ISHTAR- Files
If your computer got infected with the Ishtar ransomware, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Ishtar Ransomware.