If you are trying to access your Sage 100 ERP accounting solution and find that you are able to start the program however when you navigate to the menus they are suddenly blank – you should check to be sure your system has not been infected by Cryptolocker malware.

This malware is transmitted typically by email attachments. Once a user opens and clicks the illicit file the program begins to encrypt certain files on your computer – and any connected drives. The only known cure is to restore from a backup or pay the ransom demanded by the malware authors.

Wikipedia describes the Cryptolocker malware as:

 

CryptoLocker is a ransomware trojan which targets computers running Microsoft Windows[1] and was first observed by Dell SecureWorks in September 2013.[2][3] A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a stated deadline, and threatens to delete the private key if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin.

Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break. Many say that the ransom should not be paid, but do not offer any way to recover files; others say that paying the ransom is the only way to recover files that had not been backed up. Payment of the ransom may not result in the files being decrypted.

Newer variants under similar names, such as Cryptobit, Cryptowall and Cryptodefense are also known to exist.

We recommend that you educate staff against opening any file attachments received through email which they were not expecting. Many times these attachments have come disguised as delivery notices or voice mail files.

Another symptom that indicates you may have been exposed to this malware are various files which are left behind in your computer folders as shown below:

 

 

The only known defense to the Cryptolocker malware is a good backup. And remember that the malware can infect any drive attached to your server so if you’re saving backups to a USB driver or to another connected drive the backups may be no good when you need to restore.

Heavy duty solutions such as those offered by Ever Safe store your data off-site and in some instances also provide you with an appliance which sits in your office and can help you replicate any impacted servers within a short period of time.

 

 

 

Create a full system backup on a regular basis. This backup should not be onto a drive attached to – or accessible by – your network. If you are seeking a reliable solution for backup we recommend talking with the folks at Eversafe Backup who offer a solution that can mirror your server off-site and have you up and running within hours of an attack.

Please do NOT ignore the need for a solid backup plan. We recently had an end user who was offline for 8 full business days as they attempted to recover from this malware.