Have you experienced a situation where your company’s Sage 100 data files are suddenly inaccessible? And the only solution is either restore from a backup or pay ransomware for a vicious malware infection impacting every file – including your accounting software – on your network?
CryptoLocker (aka CryptoWall, ransom.CryptoDefense) malware is probably the culprit. The fix is a little less certain although many users are moving their accounting servers off-site to avoid these malware problems.
Symantec defines this type of malware as:
Ransom.Cryptowall is a Trojan horse that encrypts files on the compromised computer. It then asks the user to pay to have the files decrypted.
The threat typically arrives on the affected computer through spam emails, exploit kits hosted through malicious ads or compromised sites, or other malware.
Once the Trojan is executed on the compromised computer, it creates a number of registry entries to store the path of the encrypted files and run every time the computer restarts. It encrypts files with particular extensions on the computer and creates additional files with instructions on how to obtain the decryption key.
This threat family attempts to convince the user to pay money in order to get the key to unlock their files. It uses a variety of different techniques in order to encourage the user to pay the ransom.
The CryptoLocker “Fix” Can Be As Bad As The Infection.
In an effort to avoid CryptoLocker infections many IT departments greatly increase the malware protection on the entire network – resulting in significant accounting software slowdowns.
Even then, there is no guarantee that the malware won’t creep onto the network and infect everyone – including your accounting files.
Unlike most computer viruses there is no easy fix to a CryptoLocker infection aside from preventing it from happening in the first place and ensuring that you have a very recent backup.
How Will I Know That I Have The CryptoLocker Malware?
Signs of Sage 100 infection by the Crypto Wall file-encrypting ransomware trojan program (or similar, related or copycat programs like Zepto) that targets Windows operating system machines and encrypts files:
- All modules, tasks, and/or buttons are missing in the Sage 100 Desktop
- Tab and Enter keys do not work in task windows.
- Tab key will act as the Enter key when logging in or navigating tasks and panels
- “Error #2: End-of-file on read or file full on write” when attempting to access Sage 100 Advanced
- “Error #17: Invalid file type or contents” when attempting to access Sage 100 ERP Advanced
- Various files such as Microsoft Office Word or Excel or Portable Document Format *.PDF or text *.TXT files are also encrypted and cannot be opened. This includes text files that Sage 100 ERP uses to display available modules, tasks, and toolbar buttons – and is the first sign users get that there is something wrong. Attempts to open these files may show that they contain random characters instead of legible text.
- Note: More recent variants will add an extension after encrypting, such as *.aaa, or *.abc, or *.cpinf, or *.ZEPTO, etc.
- Note: More recent variants have also been known to encrypt Sage 100 ERP *.M4T data files plus *.M4P and *.msi program files for ransom as well.
Additionally, inspect the “MAS90” directory and sub-directories to check for the existence of files purporting to offer instructions on how to pay a financial ransom in order to purchase a decryption program such as:
- _2_HELP_INSTRUCTION.HTML
- _220_HELP_INSTRUCTION.HTML
- DECRYPT_INSTRUCTION.TXT
- DECRYPT_INSTRUCTION.URL
- DECRYPT_INSTRUCTION.HTML
- HELP_DECRYPT.TXT
- HELP_DECRYPT.HTML
- HOW_DECRYPT.GIF
- HOW_DECRYPT.HTML
Note: Files like BouncyCastle.Crypto.dll and SY_Crypto.pvc are standard program files within a Sage 100 ERP installation. They are not signs of a problem.
How Can I Prevent CrypoLocker Malware From Shutting Down My Accounting Department?
- Make daily backups which you retain for two weeks
- Segment your Sage 100 system from your network giving a 99.9% defense against inheriting a CryptoLocker infection on your Sage data.
- Rotate 4 images of your Sage server
- Locate accounting servers off-site away from your main network
- Create an accounting environment where users cannot browse to an infected website or click on email attachments
Your Best Defense Against CryptoLocker?
The easiest way to implement the above suggestions it to take your Sage 100 accounting system and host it off-site on a secure network segregated from your primary network. Essentially cloud hosting for Sage 100.
In most cases, because you are not sharing local space with the rest of your company’s users this results in a Sage 100 system which runs significantly faster and is more responsive than one hosted locally.
If you are not browsing the web, opening email or opening outside files on your hosted Sage 100 system then your chances of catching the CryptoLocker malware can go down by as much as 99%.
As a bonus, your hosted system is also available for you to access from your office, your home or by salespeople while on-the-road.
If expensive accounting downtime is something that you’re seeking to avoid – please join me for a 30 minute introduction to cloud hosting solutions. We’ll cover the pros and cons as well as answer questions about what Sage 100 enhancements work on a hosted platform.
Learn More: November 16, 2016 Webinar – Sage 100 Cloud Hosting
When: November 16, 2016 – 1:00 pm EST to 1:30 EST
Where: Online ( click here to register )
Speakers:
Wayne Schulz – Schulz Consulting
Robert Eppele – GotoMyERP – Sage 100 Cloud Hosting –
