Sage 100

I have a client who was infected yesterday with a Ransomware virus that supposedly encrypted about 90% of the files on the server including their MAS 90 Data. Unfortunately, this client handles their own network infrastructure and backups. It appears the last usable backup was in June. It is my understanding from a couple different sources that the Ransomware actually archives the files it attacks in an RAR archive and then creates new files that appear to be encrypted. At present, the client is planning on restoring the June backup and re-entering from paper. Has anyone had any experience with this kind of virus?

I have seen something like this on a client. The files were not actually zipped or archived, just had the extension changed. The person cleaning used old style DOS commands to change it back.

I spoke with our network administrator and he suggested starting the server in safe mode and running a product called Malwarebytes. May have to run it multiple times. This could be a place to start.

Thanks for the replies. We use have used Malwarebytes many times with good success. i beleive the client's IT person may have tried that but was able to get control again by following procedures published for this specific ransomware (accdfisa protection program 4th variant) that required removal of certain files and registry entries. Renaming the data files did not make them usable and he was unable to make other instructions he had on file recovery work either. Currently they have their June backup restored and have a team working on reconstruction. If it was up to me, I would likely have applied more effort at data recovery. I would also have wanted the machine OS reinstalled from scratch on a clean hard drive prior to any data restore.