CryptoLocker and Microsoft Dynamics GP

CryptoLocker is the boogeyman of the IT world.  It is a silent predator until you get an error that says your file is not legible.  It affects a multitude of programs.  It also affects Microsoft Dynamics GP.  Typically, when a computer is a victim of CryptoLocker and has Microsoft Dynamics GP installed it will get an error stating that the dictionary is not loaded.  What has occurred is your Reports Dictionary location has been encrypted and GP will not launch with an encrypted dictionary.

There are several options depending on your setup and preparedness for CryptoLocker about what this means for your data with Microsoft Dynamics GP.

  1. If your Microsoft Dynamics GP’s data is stored on your SQL server and there is limited access to this server. This will minimize risk of the virus spreading to your SQL server.  Meaning the SQL server is separate from the desktops or Terminal Servers.
  2. There are exceptions for businesses that don’t lock down access to their SQL server or do not have a separate machine for their SQL instances. Some companies run SQL express and Microsoft Dynamics GP on the same computer with an external hard drive backup plugged into the computer.  This is the most vulnerable of the setups as CryptoLocker will encrypt and lock down everything the user has access to.
  3. If the user gets CryptoLocker on their local desktop and the user remotes into a terminal server, typically you will not see the virus on the terminal server. This depends on the access the users has in the network.

Steps to take once you realize you have CryptoLocker. 
Once CryptoLocker is discovered there are several steps that I take.

  1. I disconnect all network drives and remove the computer from the network.
  2. I then check the network locations for any damage and see what needs to be restored from a backup
  3. Verify that the user is not a domain administrator. If they are then you need to check the entire network to see what the possible damage may be.
  4. Check all computers in the network for variations of the CryptoLocker files. Depending on the size of the network, I ask managers to assist going to computer to computer to locate all possible infections.
  5. Analyze the problem. It is imperative to analyze the damage done by CryptoLocker.  Where you find the virus may not be where it is originating.  Several newer variations of crypto locker have become more intelligent and have given their bots the ability to hack throughout the networks by guessing simple passwords.
  6. Isolate the malware and then create your plan of action to remove it from your network. You can run scans to remove the virus and after it is removed, you can put the computer back on the network.  I like to use SuperAntiSpyWare, Malwarebytes, Eset Online Scanner.  In extreme cases, we had to complete a complete wipe and reload of the OS.
  7. After the malware is removed from the network, you can then proceed with restoring data from your backups. You don’t want to start restores until you can verify the malware is completely gone.  I made the mistake once of not doing this and the malware encrypted the restored items as we were in the process of restoring the data.