Schulz Consulting

Consulting and Upgrades

Sage 100 and CryptoLocker: Prevention, Best Practices and Avoiding “Cures” That Slow Your System

by

sage100_cryptolocker

 

Have you experienced a situation where your company’s Sage 100 data files are suddenly inaccessible?  And the only solution is either restore from a backup or pay ransomware for a vicious malware infection impacting every file – including your accounting software – on your network?

CryptoLocker (aka CryptoWall, ransom.CryptoDefense)  malware is probably the culprit. The fix is a little less certain although many users are moving their accounting servers off-site to avoid these malware problems.

Symantec defines this type of malware as:

 

Ransom.Cryptowall is a Trojan horse that encrypts files on the compromised computer. It then asks the user to pay to have the files decrypted.

The threat typically arrives on the affected computer through spam emails, exploit kits hosted through malicious ads or compromised sites, or other malware.

Once the Trojan is executed on the compromised computer, it creates a number of registry entries to store the path of the encrypted files and run every time the computer restarts. It encrypts files with particular extensions on the computer and creates additional files with instructions on how to obtain the decryption key.

This threat family attempts to convince the user to pay money in order to get the key to unlock their files. It uses a variety of different techniques in order to encourage the user to pay the ransom.

The CryptoLocker “Fix” Can Be As Bad As The Infection.

In an effort to avoid CryptoLocker infections many IT departments greatly increase the malware protection on the entire network – resulting in significant accounting software slowdowns.

Even then, there is no guarantee that the malware won’t creep onto the network and infect everyone – including your accounting files.

Unlike most computer viruses there is no easy fix to a CryptoLocker infection aside from preventing it from happening in the first place and ensuring that you have a very recent backup.

How Will I Know That I Have The CryptoLocker Malware?

Signs of Sage 100 infection by the Crypto Wall file-encrypting ransomware trojan program (or similar, related or copycat programs like Zepto) that targets Windows operating system machines and encrypts files:

  • All modules, tasks, and/or buttons are missing in the Sage 100 Desktop
  • Tab and Enter keys do not work in task windows.
  • Tab key will act as the Enter key when logging in or navigating tasks and panels
  • “Error #2: End-of-file on read or file full on write” when attempting to access Sage 100 Advanced
  • “Error #17: Invalid file type or contents” when attempting to access Sage 100 ERP Advanced
  • Various files such as Microsoft Office Word or Excel or Portable Document Format *.PDF or text *.TXT files are also encrypted and cannot be opened. This includes text files that Sage 100 ERP uses to display available modules, tasks, and toolbar buttons – and is the first sign users get that there is something wrong. Attempts to open these files may show that they contain random characters instead of legible text.
    • Note: More recent variants will add an extension after encrypting, such as *.aaa, or *.abc, or *.cpinf, or *.ZEPTO, etc.
    • Note: More recent variants have also been known to encrypt Sage 100 ERP *.M4T data files plus *.M4P and *.msi program files for ransom as well.

Additionally, inspect the “MAS90” directory and sub-directories to check for the existence of files purporting to offer instructions on how to pay a financial ransom in order to purchase a decryption program such as:

  • _2_HELP_INSTRUCTION.HTML
  • _220_HELP_INSTRUCTION.HTML
  • DECRYPT_INSTRUCTION.TXT
  • DECRYPT_INSTRUCTION.URL
  • DECRYPT_INSTRUCTION.HTML
  • HELP_DECRYPT.TXT
  • HELP_DECRYPT.HTML
  • HOW_DECRYPT.GIF
  • HOW_DECRYPT.HTML

Note: Files like BouncyCastle.Crypto.dll and SY_Crypto.pvc are standard program files within a Sage 100 ERP installation. They are not signs of a problem.

How Can I Prevent CrypoLocker Malware From Shutting Down My Accounting Department?

  • Make daily backups which you retain for two weeks
  • Segment your Sage 100 system from your network giving a 99.9% defense against inheriting a CryptoLocker infection on your Sage data.
  • Rotate 4 images of your Sage server
  • Locate accounting servers off-site away from your main network
  • Create an accounting environment where users cannot browse to an infected website or click on email attachments

Your Best Defense Against CryptoLocker?

The easiest way to implement the above suggestions it to take your Sage 100 accounting system and host it off-site on a secure network segregated from your primary network. Essentially cloud hosting for Sage 100.

In most cases, because you are not sharing local space with the rest of your company’s users this results in a Sage 100 system which runs significantly faster and is more responsive than one hosted locally.

 

If you are not browsing the web, opening email or opening outside files on your hosted Sage 100 system then your chances of catching the CryptoLocker malware can go down by as much as 99%.

As a bonus, your hosted system is also available for you to access from your office, your home or by salespeople while on-the-road.

If expensive accounting downtime is something that you’re seeking to avoid – please join me for a 30 minute introduction to cloud hosting solutions. We’ll cover the pros and cons as well as answer questions about what Sage 100 enhancements work on a hosted platform.

Learn More: November 16, 2016 Webinar – Sage 100 Cloud Hosting

 

When: November 16, 2016 – 1:00 pm EST to 1:30 EST

Where: Online ( click here to register )

Speakers: 

Wayne Schulz – Schulz Consulting

Robert Eppele – GotoMyERP – Sage 100 Cloud Hosting

 

Sage 100 ERP: How To Recover From Cryptowall and Cryptolocker Malware

by

I noticed Sage published knowledgebase instructions on how to recover from the Cryptowall malware – here’s the link for anyone who is impacted:

http://goo.gl/MLdN50

Here’s the Wikipedia article which discusses this malware ( http://en.wikipedia.org/wiki/CryptoLocker ).

As I posted earlier I had an end user down for 8 days (they are running 50+ companies in Sage 100) due to this malware.

Do not ignore this issue. This malware comes in via email. One user clicks and opens the attachment and the infection spreads to any drives they have access to from their desktop.

If you are not making complete backups of your server — you should begin today.

It’s not a terrible idea to have a redundant system in place. Some of my users have used the following procure which seems to work:

1. Regular backup – typically to tape or other media though cloud backup is becoming more popular.

Tip: Cryptowall / Cryptolocker will encrypt attached storage. It’s not generally safe to keep a USB drive attached permanently as a backup source.

2. Quick & dirty via removable USB drive – Don’t leave this attached but connect it and copy your \MAS90 and related folders. Then disconnect the USB. These drives are so cheap that you should pick up several and rotate them.

Tip: Staples had a 2 TB USB drive for $ 99. Granted these are not enterprise grade drives that will last years and years. However something is better than nothing.

3. Online backup using either the business version of Carbonite or Mozy.

4. Third party services which place an appliance at your office and also have the ability to quickly create an RDP type connection should your on-site server become infected.
http://disaster-recovery-services.net/cloud-data-backup-solutions/
The cost on some of these solutions seems expensive until you consider that if you lose your data and have to re-create an AR aging that you’ll potentially lose at least that much in missed billing – and that’s not even considering the time lost due to your employees sitting idle.

We’ve reached the end of the casual “I thought you were backing up” and entered a time when you must be much more proactive about ensuring that you have a good recent backup.

Sage 100 Starts – But Menus Have Disappeared

by

If you are trying to access your Sage 100 ERP accounting solution and find that you are able to start the program however when you navigate to the menus they are suddenly blank – you should check to be sure your system has not been infected by Cryptolocker malware.

This malware is transmitted typically by email attachments. Once a user opens and clicks the illicit file the program begins to encrypt certain files on your computer – and any connected drives. The only known cure is to restore from a backup or pay the ransom demanded by the malware authors.

Wikipedia describes the Cryptolocker malware as:

 

CryptoLocker is a ransomware trojan which targets computers running Microsoft Windows[1] and was first observed by Dell SecureWorks in September 2013.[2][3] A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a stated deadline, and threatens to delete the private key if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin.

Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break. Many say that the ransom should not be paid, but do not offer any way to recover files; others say that paying the ransom is the only way to recover files that had not been backed up. Payment of the ransom may not result in the files being decrypted.

Newer variants under similar names, such as Cryptobit, Cryptowall and Cryptodefense are also known to exist.

We recommend that you educate staff against opening any file attachments received through email which they were not expecting. Many times these attachments have come disguised as delivery notices or voice mail files.

Another symptom that indicates you may have been exposed to this malware are various files which are left behind in your computer folders as shown below:

 

 

The only known defense to the Cryptolocker malware is a good backup. And remember that the malware can infect any drive attached to your server so if you’re saving backups to a USB driver or to another connected drive the backups may be no good when you need to restore.

Heavy duty solutions such as those offered by Ever Safe store your data off-site and in some instances also provide you with an appliance which sits in your office and can help you replicate any impacted servers within a short period of time.

 

 

 

Create a full system backup on a regular basis. This backup should not be onto a drive attached to – or accessible by – your network. If you are seeking a reliable solution for backup we recommend talking with the folks at Eversafe Backup who offer a solution that can mirror your server off-site and have you up and running within hours of an attack.

Please do NOT ignore the need for a solid backup plan. We recently had an end user who was offline for 8 full business days as they attempted to recover from this malware.

 

 

Contact Us

Schulz Consulting
Connecticut Office
Phone: 860.657.8544
Email Us
Available remotely nationwide.
We are a local branch of DSD Business Systems Connecticut.