ISHTAR Ransomware

ISHTAR Ransomware is targeted at both Russian and English speaking users as the displayed ransom note is written in both of these two languages. The message explains to the user how to decrypt his files that may have been enciphered with a strong encryption algorithm. Needless to say that if your computer was infected with this threat, most of the files on it could be unrecoverable if you did not backup such data, so for now, we can only help you get rid of the malware. Unlike other similar infections, ISHTAR Ransomware does not seem to delete itself once the encryption process is over. On the contrary, its malicious data should remain on the computer, and it would be safer for the system to erase it. To learn how to remove the malware, slide below the text and check the available instructions.

It was confirmed that ISHTAR Ransomware might be distributed through malicious email attachments. Moreover, from the displayed icon the attached file might look like a Microsoft Word document. Consequently, inexperienced users might identify such data as safe and open it without thinking about possible consequences. You should always remember that even harmless looking files can still be malicious. Thus, you should not take chances with attachments from unknown senders or Spam emails. In such situations, it is better to forget your curiosity and check the received file before opening it, e.g. scan it with a reliable antimalware software.

After launching the fake Microsoft Word document, the threat could place an executable file in the %APPDATA% directory. This file should look for data in the %USERPROFILE% folder or its subfolders and encrypt it while using a cryptosystem called AES 256. During the process, ISHTAR Ransomware might create a unique decryption key too, but it should be enciphered while using another cryptosystem know as RSA. What’s more, all encrypted files should be given a unique prefix called ISHTAR. For example, an enciphered Microsoft Word document could look like ISHTAR-text.docx. Therefore, you can clearly see which data was affected and which one is still usable.

As soon as your data is enciphered the malicious program should create a couple of files called README-ISHTAR.txt and ISHTAR.DATA on your Desktop. The text document is a ransom note from the malware’s developers. It does not say anything about a ransom or payment methods, but it says that the user should contact the cyber criminals with the Bitmessage application. We are almost one hundred percent sure that their reply should state how much you would have to pay to decrypt enciphered data and how you could transfer the requested amount of money.

However, if you are considering paying the ransom keep it in mind that not everything might go as well as you would hope. Same as other similar infections, ISHTAR Ransomware was created to extort money from its victims and its creators may not care about user’s files. There were situations with other similar malware, when users agreed to pay the ransom, transferred the money, but still did not receive the promised decryption tool. In other words, you have to be prepared for all consequences as there are no guarantees and no chances to get the money back. If you would rather spend your savings for something else, we advise you not to take any chances and simply get rid of the infection.

Users who are up for the task could try to remove it manually while following the instructions available little below this text. Nevertheless, if they seem too complicated or you do not trust your skill so much, you can use a reliable antimalware tool as well. In fact, such option might be even better because users would delete not only ISHTAR Ransomware but other possible malware on the computer at the same time. Thus, if you have not cleaned the system properly for a long period, it might be the time to install a legitimate antimalware software and perform a full system scan. No matter how you choose to erase the threat, if you are having a hard time, leave us a comment here or via social media and we will try to help you as soon as we can.

Remove ISHTAR Ransomware

1. Press Win+E to access the Explorer.
2. Copy and paste this location %APPDATA% into the Explorer and press Enter.
3. Search for a malicious executable file; it could be called winishtr.exe or similarly.
4. Right-click the malicious file and select Delete.
5. Erase README-ISHTAR.txt and ISHTAR.DATA files from your Desktop and %APPDATA% directory.
6. Close the Explorber and Open Windows Registry (press Win+R, type Regedit and click OK).
7. Look for this directory: HKCU\Software
8. Find a key named as Ishtr 1.0 or similarly, then right-click it and select Delete.
9. Navigate to this location: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
10. Find a value name with a random name (e.g. (Default)); its value data should point to the malicious file in the %APPDATA% directory.
11. Right-click the value name and choose Delete.
12. Empty the Recycle Bin.