The BlackSuit ransomware group is behind the recent hack of CDK Global, which resulted in a massive IT system outage and the disruption of thousands of car dealerships in the United States. According to media reports, the company is currently negotiating with attackers to decrypt the data and prevent it from leaking.
CDK Global provides a SaaS platform to its customers, and the software manages all aspects of car dealership operations, including CRM, financing, payroll, support and maintenance, inventory, and more. The company's services are used by more than 15,000 car dealerships in North America.
Let us remind you that the attack on CDK Global became known last week, and the consequences of the incident continue to get worse.
According to the publication Bleeping Computer, citing its own sources, negotiations with hackers began after CDK was forced to shut down its IT systems and data centers to prevent the threat from spreading further. In the middle of last week, the company tried to resume its services, but after this a “second incident” occurred, due to which all IT systems were again disabled.
This has led to widespread disruption to car dealerships that use the CDK platform to track and order auto parts, make sales, and offer financial services to customers. Thus, employees of some car dealerships complained on Reddit that they had nothing to do, while others reported that they were forced to use paper and pen. In some dealerships, due to software outages, employees were even sent home. Thus, due to a failure, customers can neither purchase a car nor receive service.
Thus, even the two largest American auto dealers, Penske Automotive Group and Sonic Automotive, reportedthat they were also affected by interruptions in the work of CDK Global.
Even worse, CDK officials warned that attackers were calling dealerships posing as agents and partners of the company to try to gain unauthorized access to systems.
Currently, CDK Global reports that they cannot yet give an exact time frame for restoring the systems, meaning the outages will most likely continue for several more days.
The BlackSuit group appeared in 2023 and is considered a “rebrand” of the Royal ransomware, which, in turn, is a direct follower of Conti. Back in November 2023, the FBI and CISA reported that Royal and BlackSuit were using similar tactics and had the same ransomware code.