CDK Global Outage Triggered by BlackSuit Ransomware Attack
The massive IT disruption at CDK Global and subsequent operational challenges for North American car dealerships have been attributed to the BlackSuit ransomware gang, according to multiple informed sources.
These sources, speaking on condition of anonymity to BleepingComputer, disclosed that CDK Global is currently engaged in negotiations with the ransomware operators to obtain a decryptor and prevent the disclosure of stolen data.
BleepingComputer first reported BlackSuit’s involvement in the attack, while Bloomberg revealed yesterday that CDK Global had begun negotiations with the threat actors.
The negotiations follow a significant ransomware attack by BlackSuit, which compelled CDK Global to temporarily shut down its IT systems and data centers, including its crucial car dealership platform. Efforts to restore services on Wednesday were thwarted by a subsequent cybersecurity incident, prompting CDK Global to again halt all IT operations.
CDK Global, a leading software-as-a-service (SaaS) provider for car dealerships, supports essential functions such as sales, financing, inventory management, and back-office operations through its platform. The disruption has forced dealerships to resort to manual methods, causing inconvenience to car buyers unable to make purchases or receive services.
Major car dealership companies like Penske Automotive Group and Sonic Automotive confirmed yesterday that they too were affected by the outages. Penske Automotive Group reported disruptions to its Premier Truck Group business due to the outage, implementing contingency plans to maintain operations through alternative processes.
Sonic Automotive disclosed disruptions to its dealer management system (DMS) and customer relationship management (CRM) systems, necessitating workaround solutions to mitigate operational impacts.
CDK Global has also cautioned dealerships about unauthorized calls from individuals posing as CDK agents or affiliates, attempting to gain illicit access to systems.
BleepingComputer reached out to CDK Global for further insights into the ransomware attack but has yet to receive a response.
Background on the BlackSuit ransomware gang:
BlackSuit emerged in May 2023 and is believed to be a rebranding of the Royal ransomware group. Initially identified as Royal Ransomware, the group transitioned to the BlackSuit moniker following its attack on the City of Dallas, Texas, amid rumors of a strategic rebranding.
The shift from Royal to BlackSuit coincided with the disappearance of attacks under the Royal name. Notably, both groups share similar tactics and coding characteristics in their encryptors, as highlighted in a joint advisory by the FBI and CISA in November 2023.
The advisory linked Royal and BlackSuit to ransomware attacks targeting over 350 organizations worldwide since September 2022, with ransom demands exceeding $275 million.