At least six major automotive dealers in the US say their businesses have been hit by the fallout from a ransomware attack on industry software provider CDK Global.
Many of the impacted automotive dealers, which include Lithia Motors and AutoNation, were forced to resort to pen-and-paper operations following the ransomware attack.
The Companies Hit
So far, at least six companies have told the Securities and Exchange Commission that the CDK Global ransomware attack has disrupted their operations.
The six companies affected are: Asbury Automotive Group, AutoNation, Group 1 Automotive, Lithia Motors, Penske Automotive Group, and Sonic Automotive.
Fallout is Ongoing
Disruption from the ransomware attack remains days after CDK first detected the attack. They said they had “shut down most of [their] systems out of an abundance of caution and concern”.
However, CDK Global has begun the process of restoring its systems – although they have not provided an exact timeframe for the completion of restoration.
Who is Responsible For The Attack?
It has been reported that the ransomware group BlackSuit is responsible for the attack against CDK Global. The group demanded “tens of millions of dollars in ransom”.
Experts have described BlackSuit as a “mid-sized ransomware as a service offering”, with “a number of big victims” under its belt. CDK Global is responsible for providing software to almost 15,000 auto dealer locations.
The History of BlackSuit
BlackSuit emerged in May 2023, and is believed by many to be a rebrand of the Royal ransomware operation. Royal targeted more than 350 victims between September 2022 and November 2023; demanding nearly $300 million in the process.
Royal is believed to be connected to the Conti ransomware operation. Conti was linked to the TrickBot malware operation, which the US Government said was tied to Russian intelligence services.
Experts Weigh In
Brett Callow, a threat analyst for Emsisoft, said, “BlackSuit is believed to be connected to the Royal operation, which was believed to be connected to the Conti operation, which means CDK could well be dealing with a set of very experienced cybercriminals who are used to negotiating large demands.”
BlackSuit has claimed 76 victims since May 2023. However, it has yet to mention BlackSuit on its website, where it posts messages about their alleged targets. So far, they have reported seven victims via their website this month.
CDK Respond
In a memo sent to clients on Saturday, GDK Global said, “Thank you for your patience as we recover from the cyber ransom event that occurred on June 19th.”
CDK Global added that they had begun the process of restoring their systems and that the process of bringing operations back online should take days and and not weeks.
BlackSuit’s History of Attacks
According to Cyber Scoop’s AJ Vicens, “The BlackSuit ransomware gang has leaked stolen data from attacks against 53 organizations spanning a year.”
Reliaquest Threat Research Team said that BlackSuit’s targeting pattern, “Strongly suggests a financial motivation with a focus on critical sectors that either have smaller cybersecurity budgets or a low tolerance for downtime.”
Business Leaders Speak of Adverse Impact
Asbury Automotive Group, which operates over 150 car dealerships in the US, said the ransomware attack had “adversely impacted” it’s operations and ability to conduct business.
Celebrity Motor Car Company owner Tom Maoli said his company was having to work entirely manually. He added, “We are trying to keep our customers happy and the biggest issue is the banking side of things, which is completely backed up. We can’t fund deals.”
A Rise in Ransomware Attacks
In 2023, more than 2,200 entities in the US, including hospitals and schools, were impacted by ransomware – with thousands of private sector businesses being targeted additionally.
The rise in ransomware attacks has led some to call for the payment of ransom to be banned. Anti-malware company Emisoft said doing this would lead attackers to, “quickly pivot and move from high impact encryption-based attacks to other less disruptive forms of cybercrime.”
