Symptom:
NOTE: This article deals with computer viruses/malware. As they are constantly evolving and changing, this information is subject to change or may be out of date.
This information is provided as a guide for dealing with common scenarios we have seen, but your situation may differ. The diagnosis, removal and recovery from a malware attack is outside the scope of MIP support.
Cryptolocker is a computer virus that is usually spread through infected Email attachments. When it is activated it will go through the infected system and encrypt files it deems valuable. This will make those files inaccessible. Users usually get a warning that unless they pay a ransom their files will be deleted after a certain time.
How do I know if I have been affected by Cryptolocker?
Getting the ransom screen is a sure sign that you have been infected. But that doesn’t always happen. Within MIP the problem first manifests itself as some type of SQL connection error.
There could be a number of things not virus related that can cause this error message.
Cause:
The first thing you should do is go to the machine that is the SQL server and launch the software there. If SQL Server is running and you still continue to get this message navigate to the MIP SHARE folder on your server. In that folder, access the “SQL Scripts” sub folder and scroll through the contents. Look for files that say “Decrypt Instructions”.
If you see the above files, then you have been infected by Cryto locker.
As of 2015 we have also seen files such as those below in the MIP Share directory:
And the SqlScript directory within the Share directory had files with alphanumeric names all created within minutes of each other:
Resolution:
If you have been infected on one machine your entire network is at risk. It would be a good idea to disconnect this machine from the network until the situation is dealt with. Otherwise you risk spreading the infection, particularly if you have employees with laptops that connect and disconnect from your network.
How do I get MIP up and Running after I have been infected?
Most customers who have been affected by this handle it in one of three ways
1)If they have good backups of the server machine they simply restore to a point prior to infection.
2)Install the software on a new server and copy the important files over
3)Back the important files up, reformat the existing server and install the software and restore the files.
What are the important files?
The critical files are the same ones you would back up as if you were following the instructions for moving servers (KB 876). They are:
Financial Databases- If you have a regular backup system in place you can use the backups its creates. If not you can log into SQL Studio Manager and back your databases up through that application (Right click on the database>Tasks>Backup). You will want to backup the regular databases as well as the database called NPSSQLSYS. The NPSSQLSYS contains the users, passwords and permissions.
Custom Formats– If you have custom check formats you will want to back those up as well. KB#5886 discusses how to find and move the custom formats. NOTE: It is possible that the cryptolocker may have encrypted your custom formats. If that is the case you will not be able to recover them unless you have a backup.
Attachments– If you use attachments you may need to move your attachments. KB#7206 Discusses how to do this. NOTE: It is possible that the Cryptolocker may have encrypted your attachments. If that is the case you will not be able to recover them unless you have a backup.