Ransom.AutoIt.ISHTAR.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It steals email account information. It retrieves specific information from the affected system.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system and executes them:

• %Application Data%\{5-12 Random Alphanumeric Characters}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following file(s)/component(s):

• %Desktop%\{Malware File Name}.docx → Contains the generated 5-12 random alphanumeric characters
• %Application Data%\ISHTAR.DATA → Contains a generated key
• {Drive Letter}:\ISHTAR.DATA → Contains a generated key

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops and executes the following files:

• %Application Data%\{5-12 Random Alphanumeric Characters}.tmp → Contains the decrypted payload

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\cmd.exe /c "%Desktop%\{Malware File Name}.docx"
• %Application Data%\{5-12 Random Alphanumeric Characters}.exe
• %System%\cmd.exe /c ping -n 1 localhost > nul & del /f /q "{Malware File Path}\{Malware File Name}.exe"
• "%Application Data%\{5-12 Random Alphanumeric Characters}.exe" /AutoIt3ExecuteScript "%Application Data%\{5-12 Random Alphanumeric Characters}.tmp
• %System%\cmd.exe /c whoami /all
• "%System%\eventvwr.exe"
• "%System%\cmd.exe /c vssadmin delete shadows /all /quiet

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
(Default) = %Application Data%\{5-12 Random Alphanumeric Characters}.exe

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USER\Software\Classes\
mscfile\shell\open\
command
(Default) = %System%\cmd.exe /c vssadmin delete shadows /all /quiet

HKEY_CURRENT_USER\Software\Ishtr 1.0
Eop = Success

HKEY_CURRENT_USER\Software\Ishtr 1.0
Start = Success

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• Taskmgr.exe

Information Theft

This Ransomware steals email account information.

It retrieves the following information from the affected system:

• Security Identifier (SID)
• Product Name
• Computer Name
• Architecture

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Internet Explorer
• Mozilla Firefox
• Google Chrome
• Safari
• Opera
• SeaMonkey
• Chromium
• Yandex
• Vivaldi

It stores collected data in the following file(s):

• %Application Data%\~p{Last 12 hex digits of GUID}.tmp → Web Browser Account Information
• %Application Data%\~m{Last 12 hex digits of GUID}.tmp → Email Account Information

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Stolen Information

This Ransomware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.176/pw/gate.php

Other Details

This Ransomware connects to the following URL(s) to check for an Internet connection:

• www.google.com
• http://{BLOCKED}t.ly/2rgCJiT

It does the following:

• It executes then deletes itself afterwards.
• It disables the user's mouse and keyboard.
• It is capable of locking the screen of the affected system.
• It displays the following GUI after it locks the screen:
  

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .7z
• .rar
• .zip
• .m4a
• .wma
• .avi
• .wmv
• .csv
• .d3dbsp
• .sc2save
• .sie
• .sum
• .ibank
• .t13
• .t12
• .qdf
• .gdb
• .tax
• .pkpass
• .bc6
• .bc7
• .bkp
• .qic
• .bkf
• .sidn
• .sidd
• .mddata
• .itl
• .itdb
• .icxs
• .hvpl
• .hplg
• .hkdb
• .mdbackup
• .syncdb
• .gho
• .cas
• .svg
• .map
• .wmo
• .itm
• .sb
• .fos
• .mcgame
• .vdf
• .ztmp
• .sis
• .sid
• .ncf
• .menu
• .layout
• .dmp
• .blob
• .esm
• .001
• .vtf
• .dazip
• .fpk
• .mlx
• .kf
• .iwd
• .vpk
• .tor
• .psk
• .rim
• .w3x
• .fsh
• .ntl
• .arch00
• .lvl
• .snx
• .cfr
• .ff
• .vpp_pc
• .lrf
• .m2
• .mcmeta
• .vfs0
• .mpqge
• .kdb
• .db0
• .DayZProfile
• .rofl
• .hkx
• .bar
• .upk
• .das
• .iwi
• .litemod
• .asset
• .forge
• .ltx
• .bsa
• .apk
• .re4
• .sav
• .lbf
• .slm
• .bik
• .epk
• .rgss3a
• .pak
• .big
• .unity3d
• .wotreplay
• .xxx
• .desc
• .py
• .m3u
• .flv
• .js
• .css
• .rb
• .png
• .jpeg
• .txt
• .p7c
• .p7b
• .p12
• .pfx
• .pem
• .crt
• .cer
• .der
• .x3f
• .srw
• .pef
• .ptx
• .r3d
• .rw2
• .rwl
• .raw
• .raf
• .orf
• .nrw
• .mrwref
• .mef
• .erf
• .kdc
• .dcr
• .cr2
• .crw
• .bay
• .sr2
• .srf
• .arw
• .3fr
• .dng
• .jpg
• .cdr
• .indd
• .ai
• .eps
• .pdf
• .pdd
• .psd
• .dbfv
• .mdf
• .wb2
• .rtf
• .wpd
• .dxg
• .xf
• .dwg
• .pst
• .accdb
• .mdb
• .pptm
• .pptx
• .ppt
• .xlk
• .xlsb
• .xlsm
• .xlsx
• .xls
• .wps
• .docm
• .docx
• .doc
• .odb
• .odc
• .odm
• .odp
• .ods
• .odt

It avoids encrypting files with the following strings in their file name:

• $
• ~
• ISHTAR

It avoids encrypting files with the following strings in their file path:

• $
• ~
• WINDOWS
• Windows
• RECYCLER
• Program Files
• Program Files (x86)
• TEMP
• APPDATA
• AppData
• Temp
• ProgramData
• Microsoft

It drops the following file(s) as ransom note:

• %Application Data%\README-ISHTAR.txt
• {Drive Letter}:\README-ISHTAR.txt