Combo13 Wiper Ransomware - How to remove

Combo13 is an extremely malicious program that destroys the files on the infected computer. It is made to look like file-encrypting ransomware, but rather than encrypting files, it corrupts them irreversibly. This is why Combo13 is called a wiper.

It’s important to delete Combo13 to stop it from causing any more problems. It is also important to remember to not contact the extortionists, or at least to one very careful of them.

Combo13 wiper in short:

Threat type	Ransomware, wiper, scam.
Combo13 infection symptoms	Files don’t open, file names end with “combo13”, ransom notes are left in various folders.
Can you restore your data?	Recover your data from backups, use data recovery programs, be very careful if you decide to contact the extortionists.
How to delete Combo13	Use antivirus programs to find and delete malware (Spyhunter, others).

How Combo13 affects computers

Combo13 is a malicious program. It could come in a malicious email, be bundled with a pirated program, or sneak in via RDP (How ransomware spreads).

It encrypts various files, from documents to pictures, making them impossible to open. These encrypted files also have their names changed with an appendix that looks like this:

file-name.file-extension.id-XXXXXXXX.[email address].combo13

Except, according to a ransomware researcher, Combo13 doesn’t encrypt files, but corrupts them. While encryption allows information to be recovered with the right decryptor and the correct decryption key, corrupted files can’t be fixed that way. At best, you can extract uncorrupted data from a corrupted file, but the rest is lost.

Anyway, the goal of Combo13 is to make money by forcing its victims to contact the extortionists and pay a ransom. That’s why Combo13 includes an email address in the names of the encrypted/corrupted files. That’s also why it creates ransom notes (text files called FILES ENCRYPTED) with more contact details (emails [email protected] and [email protected]) and instructions for how to buy Bitcoin.

Here’s how Combo13’s ransom note begins:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]

“Security problem”, sure. Some extortionists and other cybercriminals think of themselves as security researchers, their ransoms – bug bounties. In reality, they are criminals and you can even report them to law enforcement (although that is unlikely to help you get your data back).

Can you get your files back?

A good defense against ransomware is having secure backups of your data. If you have backups, you can restore your files from them after expelling Combo13. Just make sure that your backups are okay first (Ransomware Attackers Use Your Cloud Backups Against You)

If you lost some files and didn’t have a backup, you could try using a data recovery program, like EaseUS. These programs can restore some deleted data, which can help get lost data back. There’s no guarantee they’ll help, so take advantage of free trials to check what results you can expect.

If you consider paying the ransom, be very careful. Combo13’s extortionists promise to prove that they can decrypt your files, so use that opportunity. If Combo13 is really a wiper, do not pay the ransom. And remember to not reveal any personal information to the extortionists so that they can’t use it against you.

According to the researcher linked above, Combo13 is a type of HiddenTear, a well-known open-source file-encrypting program. It’s likely then that there’s no trick to Combo13 that researchers overlooked.

How to delete Combo13

You can use antivirus programs like Spyhunter to find and delete Combo13 and other malware. (Often, malicious programs spread in little groups.) Follow the instructions below. You can also reset your PC, but make sure to not keep any files. Some malware is extremely persistent and an antivirus scan can still be helpful.

Find out how Combo13 ransomware got on your computer and repair that security crack. Protect your devices with a good antivirus program, don’t open suspicious email attachments, disable macros and their notifications (Enable or disable macros in Office files), make sure your passwords and usernames are all unique and complex.

Automatic Malware removal tools

How to recover Combo13 Wiper Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Combo13 Ransomware Wiper has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Combo13 Wiper Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Combo13 Ransomware Wiper. You can check other tools here.  

Step 3. Restore Combo13 Wiper Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Combo13 Ransomware Wiper tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Combo13 Wiper Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.