combo

[Content by Gemini 2.5]

Ransomware Guide: “Combo” (*.combo)

A community reference by Kimi – last updated 02 Jun 2024

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .combo (all lower-case, no digits appended).
  • Renaming Convention:
  • The ransomware prepends the original name with a victim-ID string and appends .combo.
  • Example given a file report.xlsx, it becomes C45F82A8-C73C-22B4-report.xlsx.combo.
  • Additional signatures: a __README__.TXT ransom note is dropped in every affected directory and on the desktop.

2. Detection & Outbreak Timeline

  • Approximate Start: First widespread detections in the wild around late-January 2023, peaking through Q2 2023.
  • Latest Variant Evolutions: Minor recompiles appeared May–July 2023 (hash changes) but retained identical encryption key format (AES-256 + RSA-2048), preserved the .combo extension, and the ransom instruction set.

3. Primary Attack Vectors

  1. Phishing E-mails with Malicious Attachments
  • Uses ISO or ZIP archives containing a benign-looking PDF icon executable (< 5 MB) that side-loads the CRT loader DLL (winrnr.dll) to drop the binary into %APPDATA%.
  1. Exploitation of Exchange & FortiGate CVEs
  • Targets unpatched Microsoft Exchange servers via ProxyNotShell (CVE-2022-41082) and poorly exposed Fortinet VPN appliances (CVE-2022-42475) to install web shells and move laterally with WMI/PsExec.
  1. Cracked or Pirated Software Distribution
  • Bundles in “keygens” and “game cracks” on underground forums; victims download and execute the payload manually.
  1. Self-spreading via SMB (?)
  • Internal lateral movement tested via leaked Mimikatz + PsExec but no automatic worming capability confirmed. Operator login and scheduled-task creation precede the encryption phase.

Remediation & Recovery Strategies

1. Prevention

  • Patch immediately: Apply Microsoft Exchange OWA & FortiGate VPN patches first.
  • Disable SMBv1/2 where not required; restrict lateral remote execution (disable remote PowerShell for non-privs accounts).
  • Deploy mail filters to strip ISO/ZIP executables or require admin approval for macro-laden attachments.
  • E-mail attachments: enforce blocking of ISO, VHD, and Macro-Doc by policy.
  • Apply EDR rules for process injection into WINLOGON.EXE and memory writes to LSASS (TTPs observed during intrusions).
  • Enable Windows Credential Guard and restrict RDP to IP white-lists with MFA.
  • Group Policy: disable the default privilege “Act as part of the operating system”.

2. Removal

  1. Isolate the host – unplug from network/Wi-Fi immediately.
  2. Boot into Safe Mode with Networking or use a WinPE USB → overwrite encrypted file shares to prevent further encryption.
  3. Run a second–opinion malware scan with Malwarebytes or Windows Defender Offline; Combo drops at least three persistence pieces:
  • Scheduled task (combosch)
  • Registry key persistence (HKCU\Software\WinRNR\Network\DllPath)
  • A second stage unsigned binary located at %APPDATA%\Local\Temp\<8-digit>.tmp. Delete all after quarantine.
  1. Use Autoruns64.exe to sanitize remaining startup entries.
  2. Verify system integrity: run sfc /scannow and DISM /online /cleanup-image /restorehealth.

3. File Decryption & Recovery

  • Official Decryptor?
    Not currently available. Combo’s key-exchange is protected by RSA-2048 locked with the attackers’ private key.
  • Private Key Leak?
    As of June 2024, no master key has been released (nor known to be reused across campaigns).
  • Free Decryption Techniques
  • Check shadow copies: run vssadmin list shadows, expose and copy_latest.
  • Test available backups (OneDrive, Time Machine, 3-2-1 rule).
  • Use Professional Vendor Support: Emsisoft, Bitdefender, or Avast will provide free decryption if they recover a matching RSA private key leak.
  • Essential Tools / Updates:
  • Update Microsoft Exchange to March 2023 CU + KB5023307.
  • Update Fortinet FortiOS to ≥ 7.0.11 or 7.2.5.
  • Microsoft Defender Antivirus engine ≥ 1.385.1270.0 (sig 2023-06-01).
  • Offline antivirus rescue disk (WinPE with Defender, Kaspersky, Bitdefender).

4. Other Critical Information

  • Unique Characteristics: Combo re-uses open-source Crypto++ libraries; however it disables VSS service and deletes backups via WMI using:
    wbadmin delete catalog –quiet and vssadmin delete shadows /all /quiet.
  • Ransom Note Structure: 
  All your important files have been encrypted with Combo Locker.
  Unique ID: C45F82A8-C73C-22B4-ABCD-6EA234B2F1A3
  Send e-mail to: [email protected] with your ID.
  • Negotiation Footprint: Actors use Proton re-mailers and demand 0.07–0.12 BTC (~USD 2000–4000 2023 market), increase by 2× after 72 h.
  • Crypto-wallet clustering: Tracks under cluster bc1qgam76… (BTC address updated on regular interval; do not pay—decryptor often fails or delivers partial keys).
  • Broader Impact Report: In April 2023 one Spanish MSP hit via pirated Adobe patch propagated .combo to 35 endpoints, illustrating supply-side risk through cracked software use inside MSP networks.

TL;DR Decision Tree

| Condition | Recommended Action
|———–|——————-
| Shadow Copy exists | Restore from VSS, deep-scan, patch → incident over.
| Shadow absent but offline backup exists | Nuke & pave → restore → patch.
| No backups & no leaked key | Document IOCs, file勿付赎金出于有名风险. Use IR vendor if budget available.

End of guide.
If you uncover a free decryptor or leaked master key, please open a Pull Request on GitHub: github.com/ransomware-info/combo.md so the community can update in real time.