Sage 100

OMG another customer hit with the crypto virus. I've been through the drill before but the problem is, their backup is a copy on the server so it is also encrypted. Do I reinstall and remigrate (guessing there will be bad files there) or just copy their company directory and recreate users, roles, forms (egads!!!), etc.?

He says she should pay the $700 for the unlocking key.

Hello IT department..............

When was their last backup?? How many copies? Paying the bribe MIGHT be cheaper in the short run....

Last night but it is simply to another directory on their same server. Paying will take 2-5 days according to her IT guy. She doesn't want to go that long.

I've been ""lucky"" that our customers who get this have a BU somewhere else. I'd reinstall on another box and migrate the data. And, get him a better backup option. I don't think the issue with cryptovirus effects the sage data (but it will effect the PaperlessOffice files, I beleive.

Yes, paperless PDF's are unreadable. I do not trust their IT guy at all. Have tried talking her into other firms but they are in a fairly small Wisconsin area and apparently, she feels he is the best (aka cheapest).

I got around this by installing clean and copying everything from the old system manually and avoiding the crypto files. It worked but was so, so painfully manual.

I'm not sure they have another box. How do you know if the virus itself has been removed, i.e. will it repeat itself?? They were hit by a workstation who opened what she thought was a resume.

You get what you pay for with flip-flops is one thing - you get what you pay for with IT is a whole 'nothing thing.

Yes, if the backup is on the same devices it is likely that those will be damaged too. The best way to test this is in isolation - can I offer you a sandbox environment to try and recover?

Attached is the document given to me by Sage as my client was hit on Tuesday.

Wait! The backup is on the same server? Sounds like the IT guy should be paying the $700 and more.

@BethBowers that may be my new motto.

@RobertWood - well it would be a good motto if I had spelled 'nother correctly instead of 'nothing.

Has anyone ever actually paid the money? If so, does it work? And do they re-target you because you paid?? One more question - how quickly is the response? TIA.

I've heard from a couple of IT guys that paying the ransom doesn't always work. Sometimes they get the unlocking info and sometimes not. In most instances where I've dealt with it, I've installed to a new location and unencrypted files over. I believe in one instance I was just able to go the ""reinstall"" route and it worked great. Obviously paperless files had to be restored.

I had one client considering paying it but they ended up not. They didn't have a backup for 8 months. :( In their case they talked with the bank about getting an account just for that one transaction so it could be closed right away and had lawyers involved as well. I ended up installing new and brought things over in pieces. That one was awful.

Their IT guy said 95% of the time it is effective but I'm doubting that. I asked him why the backup was on the same server and he said they are on separate disks but he can't find them. In his defense, they aren't on a maintenance plan with them so he set them up but doesn't monitor backups, etc.

How quickly @BethBowers and did they get hit again?

I had a client pay the money and it worked out for them.

I think it was very quickly and they did not get hit again

It's a matter of how quickly. Usually you're more likely to be targeted again if you don't pay. The folks doing this aren't stupid. BTW, the way most of the crypto viruses use code created by the US Gov't in stuxnet which they used to target Iranian nuclear reactors.

One page of plain text becomes a thousand pages of gobbledygook..no, wait, that's the congressional virus...

Since they have no backup, they are going to go with paying the ransom. I talked with an IT guy I actually trust and he said the virus makes a copy of the original files then encrypts the copies and deletes the originals. He said if you're going to pay the ransom, make sure to have all Windows updates installed and make sure the offending machine is uninfected (disinfected?) to decrease the risk of reinfection. Unfortunately, she is still on XP. I told her to get a new machine so that when/if this is cleaned up, she is up to date. She is also thinking of switching IT firms - yay!!

@RobertaChase at CompuData has a Cloud IT Solution if you are interested. May be the perfect situation for a small remote client that needs reliable Server(s); Backups, and Monitoring for a fair price.

@ThereseLogeais XP? Adding insult to injury. Have they identified the email and deleted it or quarantined it?

www.eversafe-backup.com is the perfect solution for this (before you are hit). The problem with Crypto is that it finds all shares on the network and encrypts them so if you have your backups somewhere on the network improperly secured, they will get encrypted as well. When I wrote this a while back, I didn't realize how popular it would be but I get a ton of hits. You have about a 50/50 chance of the paid unlock working. Depends on which organization hit you, if their payment gateway has been shut down yet etc. They could be getting a variant where the creators were shut down a year ago but the virus keeps floating around.

Yes, they have. First she said she was on Windows 98. Really? Don't you mean XP?

http://www.clientsfirst-us.com/blog/partners-perspective/urgent-cryptolocker-security-threat-possibly-worst-malware-ever/

Even with a traditional backup, you likely have to rebuild the server from scratch, reinstall Sage, wait hours/days for MS updates to complete, etc etc. Down time is probably 2 days or more. This is why the only way to go for a business is true snapshot virtualization (like Eversafe), this way there is 0 downtime, and getting the original server 'back together' is < 1 hour versus days (and many thousands in professional services fees and overtime fees)

Thanks, @MadelineStefanou. We work with a number of Sage (and other resellers) to provide clients with backups, data recovery, cloud and remote IT services. We work directly with your customer or we can be transparent. You can contact me or go to our website www.compudata.com for more information.

Thanks @MadelineStefanou and @RobertaChase and @MarkChinsky - always nice to have options.