VERY IMPORTANT

The Trojan deletes Volume Shadow Copies. The Trojan may connect to and send infection reports to the following remote location: [http://]46.45.138.138/pw/gate[REMOVED] The Trojan may download files from the following remote location: [http://]bit.ly/2k4[REMOVED] The Trojan encrypts files on the compromised computer and adds the following prefix before file names: ISHTAR- The Trojan may ask the user to pay a ransom in order to have their files decrypted.