We have recently acquired a sample of a highly dangerous application called ISHTAR Ransomware. This program is designed to encrypt most of the files on your PC and then demand that you pay a ransom to decrypt them. However, you should remove it because there is no telling whether the cyber criminals that created it will keep their end of the bargain. According to our research, this ransomware is distributed via email spam and encrypts the files using the AES encryption algorithm. If you want to find out more about it, please read this whole article.
Let us go into a bit more detail about this program’s distribution method. Our research as revealed that this particular ransomware is currently being disseminated through malicious emails. The emails feature a file that looks like a Microsoft Office Word document (.docx). It may be a real Word document, but it might ask you to enable macros to show the text in the correct encoding. However, if that is the case, than it is a trap because Microsoft macros have vulnerabilities that ransomware developers can exploit and download this ransomware on your PC. Another possibility is that the .docx file is actually a disguised executable file and runs some sort of malicious script when opened to download the main executable. Regardless of how it is distributed, the point is that you will not recognize that an infection is taking place because it is meant to occur secretly. Now that we know how this application is distributed let us take a look at how it works.
We infected a test computer with the sample we have acquired, and it seems that ISHTAR Ransomware is configured to drop its main executable named winishtr.exe in %APPDATA%. Once on your PC, this ransomware will run automatically and connect to its Command and Control server to get instructions on what to do. Furthermore, it is designed to create a registry string named (Default) at HKCU\Software\Microsoft\Windows\CurrentVersion\Run. It will also create a registry key at HKCU\Software\Ishtr 1.0 which contains information about the encryption process. Obviously, this ransomware gets the green light to encrypt the files on your computer’s hard drive. However, it was configured to encrypt the files in %USERPROFILE%. Therefore, this ransomware will not encrypt all of your files, but a significant portion of them will be encrypted.
According to our research, ISHTAR Ransomware uses the AES-256 algorithm to encrypt your files and the RSA-2048 algorithm to encrypt the encryption key. This program creates a unique decryption key and sends it to the Command and Control server. Take note that this ransomware appends the names of the encrypted files with the ISHTAR- prefix. Once the files have been encrypted, it will generate a file named ISHTAR.DATA that features information that includes time of encryption, unique ID, RSA public key, and encrypted file count and another file called README-ISHTAR.txt that acts as the ransom note. Both of these files are dropped on the desktop and in %APPDATA%.
The README-ISHTAR.txt ransom note is in the Russian and English languages, so its range of dissemination is quite wide, but the most important thing is that the cyber criminals want you to contact them via Bitmessage to get further instructions on how to pay the ransom. The amount of money they want you to pay is not specified in ISHTAR Ransomware, and it will be disclosed only after you contact the developers.
However, you should refrain from contacting them and consider removing this ransomware entirely. You can try paying the ransom, but there is no guarantee that you will get the promised decryption key and software. Furthermore, the price asked for them may be too high and not worth your files. Therefore, we recommend that you delete ISHTAR Ransomware using our guide or SpyHunter, our recommended anti-malware application.