BlackSuit hacking group behind CDK ransomware attack

Posted by Shannon Lewis on June 27, 2024

BlackSuit, a believed Russian and Eastern European hacking group, is behind a ransomware attack on CDK, which has disrupted auto dealerships across the nation since late last week, multiple media reports say.

CDK first shut down its management system to 15,000 dealerships June 19. It briefly brought the system back online the next day, only to shut it back down again that evening. The system provides a suite of tools including vehicle sales, financing, insurance, and parts inventory and ordering.

Bloomberg reports that CDK plans to pay the hacker’s extortion fee in the tens of millions of dollars. 

Allan Liska, Recorded Future Inc. threat analyst, told Bloomberg that CDK is not listed as a victim on BlackSuit’s website, indicating the company has either paid the ransom or is still negotiating.  

CDK also told Bloomberg it is working with police and plans to restore services within the coming days. 

The hacking group specializes in hacking Linux and Windows, the article says. It adds that typically a desktop wallpaper on a computer directs the victim to contact the group via a site on the dark web. 

“The same gang previously published hundreds of files stolen from the police department in Kansas City, Kansas,” Bloomberg says. “Nearly 200 plasma donation centers worldwide also shut down as a result of BlackSuit’s activity in April. The group has claimed credit for attacks on a Georgia school system and for stealing more than 200 gigabytes of data from an Indiana University.”

Mandiant, a Google subsidiary, released a report earlier this month that shows Ransomware increased in 2023 compared to 2022. This includes a 75% increase in posts on data leak sites (DLS) and a more than 20% increase in Mandiant-led investigations. 

It says 2023 was a record-breaking year with more than $1 billion paid to ransomware attackers.

While ransomware hacks threaten the release of sensitive information, they also disrupt industries. 

Reuters reports that JPMorgan analysts say the disruption has “plunged the auto retail industry into disarray.” 

The story, along with other media, says auto dealers are being forced to use manual paperwork for tasks that CDK’s system typically performs. 

“AutoNation, a leading auto retailer in the United States, said the outage was disruptive and had adversely impacted its business, though its outlets remain open, continuing to sell, service, and buy vehicles,” Reuters says. “Peer Lithia Motors said on Monday it had experienced disruptions in its CDK-hosted system in North America, and that the incident was likely to have a negative impact on its business operations till the systems are fully restored.”

Mike Coding, Jaguar Land Rover Marin master certified parts manager, said disruptions are significant when a DMS goes down. This includes the parts department’s inability to officially quote or invoice. Auto replenishment of stock parts also has halted. 

The disruption is also impacting other components of the auto industry. Parts ordering through other systems that connect to CDK have been impacted, for instance.  

CCC confirmed late Thursday that it has disabled integrations it has with the company as a result of the issues impacting CDK.

All other CCC systems and CCC One will continue to operate as expected outside of the inability to communicate with CDK, CCC says.

Solera declined to comment on questions about if the attack was impacting their systems. 

“We don’t comment on specific cybersecurity incidents or their potential impacts,” Hideo Esaka, Solera chief marketing officer said in an email late last week. “We take the security and reliability of our systems very seriously and continuously work to maintain the highest standards of protection for our customers.”

When you sat down with your IT guy, did he say what would happen if this happened to you? How did that conversation go? Give us a call at 914-923-0161.

Book a no cost no obligation discovery call here to find out more. Go ahead and schedule your free network assessment here to make sure this never happens to you!