How to Restore Elliott from CryptoWall Ransomware Attack

In recent years, many Elliott users have been infected by CryptoWall ransomware, or its derivatives like Locky virus. Sometime is also call CryptoLocker virus, or Crypto Locker. This kind of virus usually comes into your system through emails with attachments. When the unsuspecting user opens the attachment, then the user's workstation is affected.

HELP_DECRYPT Files  
CryptoWall will work by encrypting all "document" files that the user has right to update in his/her local drives, as well as network mapped drives.  Then it will leave ransom notes for how to pay in order to receive instructions to decrypt your files. For each folder that it successfully encrypts at least one file, it will leave the following 4 files.  See sample screen below:
  • HELP_DECRYPT.URL
  • HELP_DECRYPT.HTML
  • HELP_DECRYPT.PNG
  • HELP_DECRYPT.TXT


CryptoWall Ransom Message
If you open up one of them, you will see the ransom note on how to pay in order to receive the instructions to decrypt your files.



 It is not difficult to remove the CryptoWall virus from the workstation once it is detected.  You can look up on the Internet how to do this, and it's not the intention of this document to tell you how to remove CryptoWall virus.  This document intends to explain how the CryptoWall virus affects Elliott Business Software and how you can restore Elliott back to the way it was before it was infected.

Files Encrypted by CryptoWall
The CryptoWall virus will encrypt the following type of files by extension:
  • All Files Known to Associate with Notepad: *.TXT, *.LOG, *.CSV
  • All Microsoft Office Document Files: *.DOC, *.DOCX, *.XLS, *.XLSX...etc.
  • All Image Files: *.JPG, *.PNG, *.BMP..etc.
  • All PDF Files
  • All Script Files: *.BAT, *.SQL
  • All ZIP Files
  • All BTR & DAT Files:  On 7/13/16, we had noticed a variant of Cryptolocker will encrypt *.BTR and *.DAT files in the Elliott DATA directory. Since they are Elliott database files, this is causing crippling result if you don't have them backup.  Please verify if your BTR and DAT files are encrypted to decide if you need to restore them.
The above is not a complete list of all files encrypted by CryptoWall. It is just what we have observed on how CryptoWall attacks Elliott folders.

How Do I Know if My BTR and DAT Files are Affected By CryptoWall virus?
Depend on the variance of the CryptoWall attack, your BTR and DAT files in DATA folder may or may not be affected.  To confirm this, use Windows Explore and browse to your Elliott DATA folder.  If your BTR and DAT files are renamed and show up like following, then they are affected.  See sample screen below:



How Is Elliott Affected by CryptoWall?
Depend on the variance of the CryptoWall ransomware.  Some of the latest one we discoverred, they will crypt all files, including EXE, DLL and Elliott database files like BTR and DAT files.  This render Elliott inoperable.  The older version of CryptoWall only attack on document files and Elliott will continue to run even after being infected by CryptoWall.  If you are hit by one of the older version of CryptoWall, the following is a list of files and folders that will be attacked by CryptoWall. You should restore them from your backup, even though they don't stop you from continuing to run Elliott:
  • <ElliottRoot>: *.DOC, *.PDF, *.TXT, *.LOG, *.BAT, *.CSV, *.BMP
  • <ElliottRoot>\APINV: *.PDF and all image files
  • <ElliottRoot>\CCSig: *.BMP
  • <ElliottRoot>\CONTRACT:
  • <ElliottRoot>\DATA: *.BMP, *.BTR and *.DAT (for CryptoWall variance discoverred on 7/13/2016)
  • <ElliottRoot>\DATA_02 - 99: *.BMP
  • <ElliottRoot>\DDF40: *.SQL
  • <ElliottRoot>\FIMAGES: all image files
  • <ElliottRoot>\FORMS: *.DOC
  • <ElliottRoot>\HELP: *.TXT
  • <ElliottRoot>\IMAGES: all image files
  • <ElliottRoot>\LOG: *.LOG
  • <ElliottRoot>\SOUND: *.WAV
  • <ElliottRoot>\SPEC: *.PDF
  • <ElliottRoot>\WAVE: *.WAV
<ElliottRoot> refers to the Elliott root directory like "M:\Elliott7". Above is a list folders and files installed by Elliott that can be affected by CryptoWall.  If you have created additional folders and files in <ElliottRoot> and its sub-folders, then it is up to you identify those files that become encrypted.

What Can We Do to Reduce the Impact of CryptoWall on Elliott?

Make Sure You Have Good Backup
It is extremely important that you have good backup.  If you don't have a good backup, then you might as well pay the ransom to get your files back. You should review your backup procedure.  Also, you should verify if your backup is complete so when the time comes to restore your files, you will have it.  Don't just take someone's word for it.  We have seen many incidents where when restoration is needed the user finds out either the backup is not done properly, or the backup copy is old. In one incident, even the backup copy is affected by the CryptoWall.  It may be a good idea to seek IT professional help with reviewing your backup procedure.

Use a Hosted Email Service
Hosted Email Services like Office 365 or Gmail may help reduce the risk of attack.  For those who host their own email server, like Exchange, and depend on anti-virus software to catch this virus, that usually is not sufficient.  The CryptoWall virus evolves so quickly that the anti-virus software definition can't be updated quickly enough to be effective. 

Educate Your Users
Educate your users not to open attachments in an email unless it is from someone they know.  Even if the attachment is from someone they know, they have to see if the context of the email makes sense.  If the context does not make sense, don't open it.  Call the party who sent the email and verify if the email is authentic.  You can also forward the email to your smartphone and open the attachment.  From our understanding, CryptoWall does not attack smartphone devices.

Strong User Password Policy
We have noticed that ransomware may attack through a remote desktop login by using a "brute force" method.  This makes users with less secure passwords vulnerable.  For those of you that allow remote users to login through a remote desktop, you should set up a password policy that requires a password length of at least 8 digits that mix uppercase, lowercase, numbers, and even special characters.

Firewall Security
If you allow users to login through a remote desktop, you should try to limit the source IP address range.  A common mistake is that, since the remote user does not have a static IP address, IT just allows all IP addresses to login through a remote desktop. This makes your network vulnerable a brute force remote desktop attack.  You should consider the following practice:
  • Ask your user to get a static IP address so you can limit the remote desktop access to that static IP address.  The negative side of this requirement is that this will increase the cost of your user's Internet connection.
  • Even if your user has a dynamic IP address, as long as the user does not shut down the router, the dynamic IP address can be relatively "static" for a few months or more. As the IT, you can input that IP address into your firewall like a static IP address.  The negative side of this is that from time to time, IT will need to revise this IP address when it changes.  If you choose to go this route, make sure the user's Internet router is backed up with a battery so that a power failure will not cause the IP address to be re-assigned.
  • Assign a range of IP addresses.  Usually, a user's ISP will be given a range of IP addresses. Often, when the IP address is re-assigned, it is in the same range, or in the group of that range. For example, if your user's IP address is something like: 001.002.003.004, you may consider opening the IP address range to include from 001.002.000.000 to 001.002.255.255. While this is not as secure as a static IP address, this is safer than leaving it wide open for all IP addresses, which allows for possible attack from IP addresses in Eastern Europe.
You should also consider implementing VPN for your remote desktop users.  Most of the complaints we see with VPN revolve around the fact that it makes remote desktop access more likely to break, so some of the users do not like to use it.


Upgrade to Elliott V8.0 and Implement Proper NTFS Security
We recommend that you upgrade to Elliott V8.0 and implement the recommended NTFS security.  See the following Knowledge Base article:
http://support.elliott.com/knowledgebase/articles/654601-elliott-8-0-directory-structure-and-ntfs-rights

If you implement the recommended NTFS security, then the only folder that can be impacted by CryptoWall attack are the followings:
  • The *.DAT files in DATA folder.  This may cause the counter in DAT files mismatch with the *.BTR file which are immune from attack if NTFS security is implemented.  To reset the counter back to proper value, please see the following article: http://support.elliott.com/knowledgebase/articles/954019-how-to-reset-the-counter-in-dat-files-after-reco
  • The LOG folder, which contains *.LOG files that you can easily restore.
  • For the user who bring in the Crypto Wall Ransom Wall, its own reports will be attaked in the Reports folder. You will need to restore them.

Will Elliott V7.5, it is possible to implement the same NTFS security.  But it is a lot more difficult due to its directory and sub-directory structure, which is not optimized for NTFS security control purposes.

On 10/31/2017, we witnessed an incident where an Elliott user's workstation was affected by ransomware through a remote desktop brute force attack. The alarming thing about this is that it will attack any share on the network even though the share is not mapped to a network drive. Therefore, we can no longer assume that if we don't map the drive for the share, the share will not be attacked. The only safe way to guard against this type of attack is to implement Elliott NTFS security.  

EMK

Systems Manager

  1. Mapped Drives Disappear After Logoff or Reboot
  2. Using Raw Data Pass Through for Dot Matrix Printer on Windows 10 Does Not Work
  3. How Do I Find The Workstation That's Infected with The Crypto Ransom Ware?
  4. How to Reset the Counter in *.DAT Files After Recovery from Crypto Ransom Ware Attack
  5. Aging Shows Differently After Database Rebuild
  6. What Do I Do When My Anti-virus Software Reports Elliott EXE File as a Virus?
  7. High CPU Usage and Performance Issues After Implementing NTFS Security
  8. "We can't verify who created this file. Are you sure you want to run this file?"
  9. Problem with Printer Configuration If Running Elliott from Multiple Workstations
  10. Inconsistent Elliott Error on Terminal Server
  11. How to Restore Elliott from CryptoWall Ransomware Attack
  12. Clarify Laser Forms Line Item Level Barcode Printing
  13. Is Dot Matrix Printer Still Supported in Elliott with Windows 10?
  14. Should I Install the 32-bit or 64-bit Outlook/Office?
  15. I Receive Error 114 When I Start Up Elliott on the Server
  16. Manage Data Execution Prevention (DEP) Through Registry Editing
  17. Windows Defender May Cause Elliott Start-Up Difficulties
  18. Why Do I Exceed Elliott User License Count When There are No or Very Few Users in Elliott?
  19. What Causes Load Error 198?
  20. How the Windows Scheme You Choose May Affect the Elliott Screen Display
  21. Still Get Error 114 After Adding All Elliott EXE Files to the DEP List
  22. How to Copy Laser Form Templates from Company to Company
  23. Weird Character Displayed for Backslash (\) Character
  24. Does Elliott Support Desktop Virtualization?
  25. Access Is Denied When Launching Elliott V8 Report Viewer
  26. User Cannot See Some Spooled Reports in Elliott V8
  27. Why Does the User List Function Take Forever to Bring Up?
  28. I Am Running Out of Invoice Numbers -- I Need Direction to Archive Invoices
  29. Algorithm to Speed Up eContacts List in Elliott V8
  30. Elliott Requires Volume Supporting 8dot3name
  31. Elliott Running Extremely Slow on Windows 8 with Trend Micro Anti Virus Software Installed
  32. What Causes "File Table Exceed Limit" Error?
  33. Mass Email Time Out
  34. Report Incomplete After 4 Hours: Event Stops Working After Upgrade to Elliott V8
  35. File Created in C:\ Root Directory Disappears
  36. Is There a Way to Create and Distribute Elliott Printer Configurations?
  37. What Are "COBOL Only" or "User Defined" Event Actions? Can We Use Them in Any Way?
  38. How to Purge WSORDHDR.BTR and WSORDLIN.BTR files?
  39. CPORDLS (Order Serial/Lot File) Btrieve Page Size
  40. Create PO Receiving Event to Trap Negative Qty on Hand Problem
  41. Reducing File Sizes for INITLFILE.LOG & SYACTLOG.BTR
  42. Windows 10 and Trend Micro Anti-Virus Software
  43. The Remote Certificate Is Invalid According to the Validation Procedure
  44. Customer Has Multiple Primary Contacts or No Primary Contact
  45. Btrieve Error 46 on S/M Activity Log File
  46. Multi-Currency Workarounds in Elliott
  47. Using the Export Processor to Export Data
  48. Instructions for Importing Laser Form Template
  49. I Am Unable to Post or Enter a Date for the New Year
  50. Does Elliott Work Under Virtualized Desktops Infrastructure (VDI)
  51. Btrieve Error 80 During Defer Processing
  52. Lauch CSV File -- There Was a Problem Sending the Command to the Program
  53. Feature - System Users File Integrity Check
  54. Receive Error in NWSMSCRN for Function Pf-Map-Coordinate-Space
  55. Not Able to Receive Event Emails from Certain Users
  56. Feature - Events for Add Note and Delete Note
  57. When and How to Use DDF2BTR.EXE Utility
  58. Elliott Last Printing Job Overrides Windows Default Printer on Windows 10
  59. Not Able to Change Attributes Added by Other Users
  60. Feature - New Context Menus in v8.0 Spooled Reports Manager
  61. Feature - Automatic Archiving of Spooled Reports in Elliott v8.0
  62. Feature - Enhanced Security for Attributes
  63. Feature - Deferred Processing Multiple Times Per Day
  64. Feature - Ability to Specify User ID in User Search
  65. Feature - Utility to Re-Calculate Item First Received and Last Received Date
  66. NSCTLMN1 Global Setup Time Clock Global Setup
  67. How to Set Up One-to-One Restriction of Customer and Item
  68. Recursion Error When Drill Down to Item File Inquiry
  69. Error Invoking Macro - Cannot Install Hook
  70. Feature - Record Navigation in Attribute Window
  71. Error Connecting VPN from Windows 10 to Windows 2008 Server
  72. How to Stop Users from Sending Elliott Reports through Email
  73. Does Elliott Support Windows 10?
  74. It Is Extremely Slow to Run Elliott over VPN Connection
  75. SYTIMCLK Systems Manager General Time Clock
  76. Feature - Recalculate AP Vendor YTD and Last Year Amount
  77. XCO0100 Systems Manager Design Your Own Order
  78. Feature - Restrict Recurring Event for Number of Times for a Specific Reference
  79. How Do I Limit the Companies for Users?
  80. Feature - Enforced Report Destinations
  81. I Am Unable to Create a New User in Elliott
  82. Feature - PDF Printing in Elliott V8.2
  83. Feature: PDF PostOffice in Elliott V8.2, Introduction
  84. Feature: PDF PostOffice in Elliott V8.2, Part 1
  85. Feature: PDF PostOffice in Elliott V8.2, Part 2
  86. Feature: PDF PostOffice in Elliott V8.2, Part 3
  87. Feature - Added Checkbox and Description to Attribute List and the SPS Commerce Create Attribute Register
  88. Feature - Performance Options for eContact Activity Tab
  89. Feature - Mass Change Salesman Utility
  90. Elliott Installer File-In-Use Warning During Installation
  91. Unable to Run Elliott from UNC Path
  92. V8 Program Desktop Startup Shortcuts - Internal Macro
  93. Event When Order Put On Hold at Invoice Printing
  94. Feature - Time Clock Logoff Type
  95. Feature - Added Distribution to G/L History Files
  96. Feature - Utility to Update eContact PDF PostOffice Flags
  97. Can I Use Elliott for Sales, Telemarketing and CRM Purposes?
  98. Emailing PDF with SSPI Failed After Online Charging Using Credit Card
  99. Can You Explain How Elliott Stores Serial Numbers in Its Database?
  100. Converting Elliott Internal Date to Conventional Date Format in Excel
  101. All of a Sudden, My Terminal Server's Elliott Default Changed to Someone Else's Settings
  102. WannaCry Ransomware Security Recommendation
  103. Symantec Endpoint Protection Versions 12 and 14 Cause Elliott Startup Error
  104. Notes Security - From Global Setup, Note Type to Supervisory Relationship
  105. Remote Desktop Workstation Name
  106. Which Anti-Virus Software Do You Recommend to Installing on the Elliott ERP Server?
  107. Menu Access Error - You Do Not Have Access to CP,INQ, Menu Item 01
  108. Ping Test to Isolate Inconsistent Load Error 198
  109. The Definitions of Extra Flags in System Period Control Setup
  110. How to Use Procdump.exe to Create a Memory Dump for PSQL Engine
  111. Feature - Group Location Security
  112. NSCTLMN4 Global Setup Bill of Lading 1
  113. NSCTLMN4 Global Setup Bill of Lading 2
  114. NSCTLMN4 Global Setup Bill of Lading 3
  115. NSCTLMN4 Global Setup Bill of Lading 4
  116. NSCTLMN4 Global Setup Bill of Lading 5
  117. NSCTLMN4 Global Setup Bill of Lading 6
  118. NSCTLMN4 Global Setup Bill of Lading 7
  119. NSCTLMN4 Global Setup Bill of Lading 8
  120. NSCTLMN4 Global Setup Bill of Lading 9
  121. NSCTLMN4 Global Setup Bill of Lading 10
  122. NSCTLMN4 Global Setup Bill of Lading: Index
  123. Feature - Support 12 Months History in Export Processor
  124. NSCTLMN3 Inventory Management Global Control Setup 1
  125. NSCTLMN3 Inventory Management Global Control Setup 2
  126. NSCTLMN3 Purchase Order Global Control Setup 1
  127. NSCTLMN3 Purchase Order Global Control Setup 2
  128. NSCTLMN3 Bill of Material and Production Order Global Control Setup
  129. NSCTLMN3 Distribution Modules Global Setup: Index
  130. NSCTLMN5 Global Setup Change Quote to Order 1
  131. NSCTLMN5 Global Setup Change Quote to Order 2
  132. NSCTLMN5 Global Setup Change Quote to Order 3
  133. NSCTLMN5 Global Setup Change Quote to Order 4
  134. NSCTLMN5 Global Setup Change Quote to Order 5
  135. NSCTLMN5 Global Setup Change Quote to Order 6
  136. NSCTLMN5 Global Setup Change Quote to Order: Index
  137. I Cannot See the Spooled Reports Even though I Am an Administrator Equivalent User
  138. Multi-Currency Exchange Handling in Elliott
  139. How to be a Good Elliott Citizen
  140. Salesman Security
  141. SYMENU System Manager Introduction 1
  142. SYMENU System Manager Introduction 2
  143. SYMENU System Manager Introduction 3
  144. SYMENU System Manager Introduction 4
  145. SYMENU System Manager Introduction 5
  146. SYMENU System Manager Introduction 6
  147. SYMENU System Manager Introduction 7
  148. SYMENU System Manager Introduction 8
  149. SYMENU System Manager Introduction 9
  150. SYMENU System Manager Introduction 10
  151. Feature - Audit Trail of Accumulator Clearing
  152. SYMENU System Manager Introduction 11
  153. SYMENU System Manager Introduction 12
  154. SYMENU System Manager Introduction 13
  155. SYMENU System Manager Introduction 14
  156. SYMENU System Manager Introduction 15
  157. SYMENU System Manager Introduction 16
  158. SYMENU System Manager Introduction 17
  159. SYMENU System Manager Introduction 18
  160. SYMENU System Manager Introduction 19
  161. SYMENU System Manager Introduction 20
  162. SYMENU System Manager Introduction 21
  163. SYMENU System Manager Introduction 22
  164. SYMENU System Manager Introduction 23
  165. SYMENU System Manager Introduction 24
  166. SYMENU System Manager Introduction 25
  167. SYMENU System Manager Introduction 26
  168. SYMENU System Manager Introduction 27
  169. SYMENU System Manager Introduction 28
  170. SYMENU System Manager Introduction 29
  171. SYMENU System Manager Introduction 30
  172. SYMENU System Manager Introduction 31
  173. SYMENU System Manager Introduction 32
  174. SYMENU System Manager Introduction 33
  175. SYMENU System Manager Introduction 34
  176. SYMENU System Manager Introduction 35
  177. SYMENU System Manager Introduction 36
  178. SYMENU System Manager Introduction 37
  179. SYMENU System Manager Introduction 38
  180. SYMENU System Manager Introduction 39
  181. SYMENU System Manager Introduction 40
  182. SYMENU System Manager Introduction 41
  183. SYMENU System Manager Introduction 42
  184. SYMENU System Manager Introduction 43
  185. SYMENU System Manager Introduction 44
  186. SYMENU System Manager Introduction 45
  187. SYMENU System Manager Introduction 46
  188. SYMENU System Manager Introduction 47
  189. SYMENU System Manager Introduction 48
  190. SYMENU System Manager Introduction 49
  191. SYMENU System Manager Introduction 50
  192. SYMENU System Manager Introduction 51
  193. SYMENU System Manager Introduction 52
  194. SYMENU System Manager Introduction: Index
  195. Elliott V7.0 Release Notes: What's New Since Elliott V6.7
  196. Elliott V7.1 Release Notes: What's New Since Elliott V7.0
  197. Elliott V7.2 Release Notes: What's New Since Elliott V7.1
  198. Elliott V7.3 Release Notes: What's New Since Elliott V7.2
  199. Elliott V8.1 Release Notes: What's New Since Elliott V8.0
  200. Elliott V7.4 Release Notes: What's New Since Elliott V7.3
  201. Elliott V7.5 Release Notes: What's New Since Elliott V7.4
  202. Elliott V8.0 Release Notes: What's New Since Elliott V7.5
  203. Elliott V8.2 Release Notes: What's New Since Elliott V8.1
  204. Drill Down and Receive Message You Do Not Have Access
  205. Problem Running Elliott After Upgrading Windows 10 to Fall Creator Edition
  206. MAPISendMail failed! Not supported [26]
  207. What Information Is Stored in System 12 Months Table (SY12MONS)?
  208. Elliott Telephony Integration - How to Call through My Telephone Set from eContact?
  209. Error Adding Printer Configuration After Latest Windows 10 Update
  210. Anti-Virus Causes PostOffice Emailing Problem
  211. Feature - Equal Sign Support in Export Processor

Feedback and Knowledge Base