At approximately 23:15 on 21st January 2020, a malicious CryptoVirus with a ransomware payload was delivered to the majority of Pilot Software sites worldwide.

Here’s a timeline

  • Pilot Software was alerted at 00:06 on 22 January 2020 via our support centre.
  • Around 50% of Pilot clients have been infected, based on calls taken to date.
  • SMS and social media communications were sent to all clients at 10:00 on 22nd January 2020, and updates have since been posted as we have received more information.
  • The Pilot SQL database was encrypted, along with MS Office files in a number of cases.
  • Although the majority of affected sites were running end of life Windows 7 and Server 2008, we have had limited reports of Windows 10 sites being affected. These appear to be Windows 10 sites with older SQL Server versions.
  • We’ve had numerous reports of Windows 7 sites that are completely unaffected and we have no clear indication as to why.

So what happened?

Forensic investigation has today revealed that one of our third-party remote support tools was compromised, resulting in the distribution of ransomware targeting primarily unpatched systems. As a result of the breach, Pilot has reset all credentials and will upgrade our 3rd party toolset to include Multi-Factor Authentication.

What to do now

  • The fix process is tedious and unless you have your own IT team, requires telephonic or onsite assistance.
  • Reformat and reload the BB server or load SQL on an unaffected admin or PoS machine.
  • Attempt restore of local backups if not encrypted.
  • Attempt restore of IronTree backups if you make use of this service.
  • If no data is available, create a blank database with open food/beverage tabs so sales can be tracked.

Lost Data?

  • Our development team is working on potentially restoring trading data from PilotLive servers, if you make use of this service. We should know more about restoring from PilotLive by the morning of Monday 27 January, and will share updates with you.
  • Our support centre is still being inundated with calls and we have all available staff working on this.
  • Send an email to web@pilot.co.za if you are still infected and can’t get through to support. We will endeavour to call you back as soon as we can.

To mitigate risk from any source, we strongly recommend:

  • Disable Legacy Powershell.
  • Ensure you have a commercial antivirus, and it is set to automatically update.
  • Ensure that you have a commercial online backup facility.
  • If possible, store local backups on removable media daily.
  • Ensure you are running Windows 10 and at least SQL 2017, and that Windows updates are automated – remember to set a convenient time, say 02h00 daily.
  • Engage the services of a reputable ICT company if you don’t have one – for example https://dialanerd.co.za/about

Going forward

As a PoS provider, and partner to all of you, we are deeply troubled by this attack and the ramifications for our clients – we unreservedly apologise for the severe disruption caused.

While it’s understandable that you may assign blame directly to Pilot, bear in mind that this is a targeted, malicious CryptoVirus attack exploiting support tool, operating system and database vulnerabilities. There have been countless attacks over the last few years including the WannaCry attack of 2017, which cost billions of dollars. No-one is immune.

Our short-term goal is to get all affected sites trading again as soon as humanly possible. Our communications will stay open and we will update you with further developments.

SHARE