In a recent cyber attack update, CDK Global has been hit hard by the BlackSuit ransomware gang, causing a significant IT outage that has disrupted operations for car dealerships across North America. Multiple sources, who requested anonymity, have confirmed the involvement of the ransomware group, according to Lawrence Abrams of BleepingComputer.
Cyber attack update: CDK is hit by BlackSuit ransomware gang
Bloomberg reported that CDK Global is currently negotiating with the BlackSuit ransomware gang to secure a decryptor and ensure that no stolen data is leaked.
The ongoing negotiations come in the wake of the ransomware attack, which compelled CDK to initially shut down its IT systems and data centers to halt the spread of the attack. Despite attempts to restore services on Wednesday, a second cyber attack by BlackSuit ransomware forced CDK to shut down all its IT systems again, impacting its car dealership platform.
CDK Global, a leading software-as-a-service (SaaS) provider, facilitates car dealerships in managing various operational aspects, including sales, financing, inventory, service, and back-office functions. Currently offline, dealerships are resorting to manual operations with pen and paper.
Additionally, two of the largest public car dealership companies, Penske Automotive Group and Sonic Automotive, revealed yesterday that they have also been affected by these outages. CDK continues to provide updates as they strive to resolve the situation promptly.
“Our Premier Truck Group business utilizes CDK’s dealer management system which has been disrupted. We immediately took precautionary containment steps to protect our systems and commenced an investigation of the incident, which efforts are ongoing. Premier Truck Group has implemented its business continuity response plans and continues to operate at all locations through manual or alternate processes developed to respond to such incidents,” Penske stated in an SEC filing.
“As a result, the Company experienced disruptions to its dealer management system (“DMS”) hosted by CDK, which supports critical dealership operations including those supporting sales, inventory and accounting functions and its customer relationship management (“CRM”) system. All of the Company’s dealerships are open and operating utilizing workaround solutions to minimize the disruption caused by this CDK outage,” said Sonic Automotive in the same SEC filing.
CDK also warns that threat actors are calling dealerships posing as CDK agents or affiliates to gain unauthorized systems access.
About BlackSuit ransomware gang
Launched in May 2023, BlackSuit is widely believed to be a rebranding of the Royal ransomware operation, which itself is considered a direct successor to the infamous Conti cybercrime syndicate. Comprising Russian and Eastern European threat actors, this organized gang has been a persistent security concern.
In June 2023, amidst discussions surrounding a potential rebrand, the Royal Ransomware group tested a new encryptor named BlackSuit, which coincided with their attack on the City of Dallas, Texas. Following these events, the Royal name ceased to be used, with the threat actors consolidating their operations under the BlackSuit moniker.
By November 2023, an advisory issued jointly by the FBI and CISA shed light on the connection between Royal and BlackSuit, noting significant similarities in tactics and coding within their encryptors. This advisory also tied the Royal ransomware gang to attacks on over 350 organizations globally since September 2022, with ransom demands surpassing $275 million.
Cybersecurity challenges faced by university networks
The transition from Royal to BlackSuit marks a strategic move by the cybercriminals to continue their illicit activities under a new guise, maintaining their dangerous presence in the digital world.
Featured image credit: Kerem Gülen/Midjourney