NOTE: This article deals with computer viruses/malware. As they are constantly evolving and changing, this information is subject to change or may be out of date.
This information is provided as a guide for dealing with common scenarios we have seen, but your situation may differ. The diagnosis, removal and recovery from a malware attack is outside the scope of MIP support.
Cryptolocker is a computer virus that is usually spread through infected Email attachments. When it is activated it will go through the infected system and encrypt files it deems valuable. This will make those files inaccessible. Users usually get a warning that unless they pay a ransom their files will be deleted after a certain time.
How do I know if I have been affected by Cryptolocker?
Getting the ransom screen is a sure sign that you have been infected. But that doesn’t always happen. Within MIP the problem first manifests itself as some type of SQL connection error.
There could be a number of things not virus related that can cause this error message.
The first thing you should do is go to the machine that is the SQL server and launch the software there. If SQL Server is running and you still continue to get this message navigate to the MIP SHARE folder on your server. In that folder, access the “SQL Scripts” sub folder and scroll through the contents. Look for files that say “Decrypt Instructions”.
If you see the above files, then you have been infected by Cryto locker.
As of 2015 we have also seen files such as those below in the MIP Share directory:
And the SqlScript directory within the Share directory had files with alphanumeric names all created within minutes of each other:
If you have been infected on one machine your entire network is at risk. It would be a good idea to disconnect this machine from the network until the situation is dealt with. Otherwise you risk spreading the infection, particularly if you have employees with laptops that connect and disconnect from your network.
How do I get MIP up and Running after I have been infected?
Most customers who have been affected by this handle it in one of three ways
1)If they have good backups of the server machine they simply restore to a point prior to infection.
2)Install the software on a new server and copy the important files over
3)Back the important files up, reformat the existing server and install the software and restore the files.
What are the important files?
The critical files are the same ones you would back up as if you were following the instructions for moving servers (KB 876). They are:
Financial Databases- If you have a regular backup system in place you can use the backups its creates. If not you can log into SQL Studio Manager and back your databases up through that application (Right click on the database>Tasks>Backup). You will want to backup the regular databases as well as the database called NPSSQLSYS. The NPSSQLSYS contains the users, passwords and permissions.
Custom Formats – If you have custom check formats you will want to back those up as well. KB#5886 discusses how to find and move the custom formats. NOTE: It is possible that the cryptolocker may have encrypted your custom formats. If that is the case you will not be able to recover them unless you have a backup.
Attachments – If you use attachments you may need to move your attachments. KB#7206 Discusses how to do this. NOTE: It is possible that the Cryptolocker may have encrypted your attachments. If that is the case you will not be able to recover them unless you have a backup.
Other Applications – Some customers have 3rd party data applications that access MIP (timesheets, Crystal reports, Microix or other reporting tools). You would want to consult with someone familiar with those integrations to see what if anything would be required for those.
After the important files have been saved to a secure location (and scanned to make sure they are not infected) you will need to install the MIP software.
If you are installing on a new or reformatted server, you will need to install SQL server first before installing the application and then restoring the database. Consult the installation guide of the version you were on for any instructions or tips.
After you have reinstalled the MIP software you can restore your databases through the administration module (even if they were made through Studio Manager) and follow the KB for restoring your custom forms and attachments if needed.