ISHTAR Ransomware
Posted: November 2, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 71 |
| First Seen: | November 2, 2016 |
|---|---|
| OS(es) Affected: | Windows |
The ISHTAR Ransomware is a Trojan that encrypts your files to block them and drops text messages on your desktop redirecting you to ransom negotiations for their recovery. Like other attacks based on holding a hard drive's contents hostage, one can limit the potential of the ISHTAR Ransomware's payload by having backups out of its reach. Your anti-malware software also can delete the ISHTAR Ransomware before it encodes any data.
A Goddess Back from the Grave by Unconventional Means
Personal preferences among threat developers and administrators often make themselves known in attack campaigns in seemingly minor ways. While many of these predominantly aesthetic choices don't mitigate the intended impact of an infection, they can make it much easier than otherwise to identify a particular threat. In one case, the ISHTAR Ransomware, its author chose to forgo the standard renaming format in use by almost all other file-encrypting Trojans.
While the ISHTAR Ransomware's bases its name off of a Mesopotamian goddess whose worship declined in the fifth century AD, its ransom messages are targeting Eastern Europeans and nearby regions, with instructions in both English and Russian. Instead of appending a new extension to the end of the files it encodes, the ISHTAR Ransomware places the string 'the ISHTAR-' in front. Prepending is a much rarer format for Trojans of its type, although some, unrelated threats, such as the CryPy Ransomware, do share it.
Besides distinguishing itself with this stylistic change, the ISHTAR Ransomware conducts standard AES-RSA asymmetric encryption attacks that block all the renamed files from use. Malware experts have yet to find any significant vulnerabilities leading to decryption without taking the risk of paying the ISHTAR Ransomware's admin as per its ransom instructions. However, since the ISHTAR Ransomware is still new, providing samples to interested security researchers may lead to future breakthroughs.
Ending Old Religion Revived to No Good End
In addition to significant, visible symptoms, the ISHTAR Ransomware also is identifiable through the presence of various components, including the 'winISHTAR.exe' executable that it hides within the Roaming subdirectory of the user's account folder. Since the ISHTAR Ransomware uses genuine, AES and RSA-256-bit encryption, you can most easily recover any blocked files by reverting to an unaffected backup. File-encryption Trojans like the ISHTAR Ransomware rarely include targeted attacks against cloud services or peripheral devices not initially plugged in, although the Windows Shadow Copies often are not available.
The ISHTAR Ransomware has been in circulation since late October, although malware analysts only corroborate small numbers of attacks. PC owners can defend themselves from most installation exploits by scanning e-mail attachments with anti-malware utilities able to remove the ISHTAR Ransomware or installer-based threats before the encryption attack can launch. Expect such spearhead attacks to use disguises to trick the victim into opening them, such as fake invoices or delivery notices.
Whatever the reasoning behind its choice of theme, the ISHTAR Ransomware is an apt example of threat authors being willing to reinvent the wheel as many times as it takes to pad their bank accounts with other people's money.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%APPDATA%\winishtr.exe
File name: winishtr.exeSize: 1.15 MB (1153024 bytes)
MD5: d6955c1047a02fca56b848ddefb35c07
Detection count: 27
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: November 2, 2016
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.