Details of The Story
CDK Global, a prominent software-as-a-service (SaaS) provider for car dealerships, has experienced a massive IT outage due to a ransomware attack attributed to the BlackSuit gang. According to multiple sources, including Bleeping Computer, this attack has caused significant disruptions for car dealerships across North America.
Sources, who wished to remain anonymous, disclosed that CDK Global is currently in negotiations with the ransomware gang, seeking a decryptor to restore its systems and to prevent the leak of stolen data.
The BlackSuit ransomware attack has forced CDK to shut down its IT systems and data centers to contain the spread, impacting their car dealership platform. Despite attempts to restore services on Wednesday, a second cybersecurity incident prompted another complete shutdown of IT systems.
CDK Global’s platform is essential for car dealerships, managing everything from sales and financing to inventory, service, and back-office functions. With the platform offline, dealerships have reverted to manual operations. Car buyers reported being unable to purchase vehicles or receive services due to the outage.
Major dealership companies, Penske Automotive Group and Sonic Automotive, confirmed the impact of these outages. Penske’s SEC filing detailed disruptions to its Premier Truck Group business, which relies on CDK’s dealer management system. “We immediately took precautionary containment steps to protect our systems and commenced an investigation of the incident, which efforts are ongoing,” Penske stated. They are currently operating through manual processes developed for such incidents.
Sonic Automotive’s SEC filing also reported significant disruptions. “As a result, the Company experienced disruptions to its dealer management system (“DMS”) hosted by CDK, which supports critical dealership operations including those supporting sales, inventory, and accounting functions and its customer relationship management (“CRM”) system,” the company disclosed. They have implemented workaround solutions to minimize the impact and continue operations.
In addition to the ransomware attack, CDK warns that threat actors are posing as CDK agents to gain unauthorized access to systems.
About The BlackSuit Ransomware Gang
BlackSuit, believed to be a rebrand of the Royal ransomware operation, launched in May 2023. The Royal Ransomware, and by extension BlackSuit, is thought to be the successor of the notorious Conti cybercrime syndicate, comprised of Russian and Eastern European threat actors.
The Royal Ransomware operation began testing a new encryptor called BlackSuit in June 2023, amid rumors of a rebrand following their attack on the City of Dallas, Texas. Since then, Royal has ceased its activities, with the threat actors now operating under the BlackSuit name.
In November 2023, a joint advisory by the FBI and CISA revealed that Royal and BlackSuit share similar tactics and coding overlaps in their encryptors. The advisory linked Royal to attacks on at least 350 organizations worldwide since September 2022, with more than $275 million in ransom demands.
