ISHTAR Ransomware Removal Guide

Do you know what ISHTAR Ransomware is?

Our security experts have recently tested a ransomware-type program called ISHTAR Ransomware. Like many malicious programs of its type, it is designed to encrypt many files on your PC, and if it does, you will not be able to decrypt them for free. However, paying the cyber criminals behind this ransomware money is not an option because you might not get the decryption key and decryptor. Therefore, we suggest removing this ransomware instead. In this article, we will discuss this program’s inner workings, distribution and removal options.

From the outset, it must be said that there is no free tool that can decrypt the encryption of this newly published ransomware. Our researchers have tested this program and found that when this ransomware encrypts a computer, it drops its main executable named winishtr.exe in %APPDATA%. Not only that, but it will also create a registry string that is referred to as the Point of Execution. This string is called (Default) and it is placed at HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The purpose of this string is to launch this ransomware on each system startup, but it should not encrypt newly added files on every time you power on your PC. ISHTAR Ransomware will also create a registry key at HKCU\Software\Ishtr 1.0 that contains information about the encryption process. Note that after the encryption is complete, this program will two more files that include ISHTAR.DATA, a file that stores data such as the time of encryption, unique ID, RSA public key, encrypted file count.ISHTAR Ransomware Removal GuideISHTAR Ransomware screenshot
Scroll down for full removal instructions

Once all of the necessary files are in place, this ransomware connects to its Command and Control (C&C) server and begins the encryption process. Tests have shown that it encrypts files located in %USERPROFILE% only. ISHTAR Ransomware encrypts files using the AES-256 encryption algorithm and then encrypts the encryption key with the RSA-2048 encryption algorithm. It also creates a decryption key for decrypting the other encryption key and your files and stores it on the C&C server. The only way to get this key is to contact this ransomware’s developers via Bitmessage using the provided address. Only after contacting them you will know how much money you have to pay to get the decryptor and decryption key. However, you should not count on the criminals to keep their word and send you the key and program once you have made the transaction. Now that you know how this program works let us discuss ISHTAR Ransomware’s distribution channel.

Malware researchers say that this new ransomware is distributed via the most popular ransomware distribution channel — email spam. Indeed, like so many other ransomware-type malware that includes ZeroCrypt Ransomware, Click Me Ransomware, Krypte Ransomware, and many others, ISHTAR Ransomware uses fake emails to get onto your PC. Our researchers have found that the file that downloads this ransomware looks like a regular Microsoft word .docx file but the file is malicious because, once you open it, it asks you to enable macros to show you the otherwise distorted text. Macros open up your PC to vulnerabilities and ransomware such as this one can easily slip in undetected.

Therefore, you should consider investing in an antimalware application to protect your computer from possible infections. If your PC has been infected with this particular ransomware and you want to remove it, then you can make use of the manual removal guide featured below. However, if you have difficulties tackling with this infection, we suggest using SpyHunter as it is more than capable of deleting this particular computer infection.

Removal Instructions

  1. Hold down Windows+E keys.
  2. In the File Explorer’s address box, type %APPDATA% and hit Enter.
  3. Find winishtr.exe, right-click it and click Delete.
  4. Close File Explorer and Empty the Recycle Bin.
  5. Hold down Windows+R keys.
  6. Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and delete (Default)
  7. Finally, navigate to HKCU\Software\Ishtr 1.0 and delete this whole key.

In non-techie terms:

ISHTAR Ransomware is one malicious piece of software that can encrypt your personal files and demand money for you to get them back. There is no guarantee that your files fill be decrypted once you have paid and even if they do, you should not comply with cyber criminals. We recommend that you remove this deceptively distributed application using our guide or SpyHunter.