The BlackSuit ransomware gang is behind a major CDK Global IT outage and disruptions to car dealerships across North America, according to multiple sources familiar with the matter.
The same source, who spoke on condition of anonymity, told BleepingComputer that CDK is currently in negotiations with the ransomware gang to receive a decryption tool and to ensure that the stolen data is not leaked.
BleepingComputer first reported that BlackSuit was behind the attacks, but news that CDK was in negotiations with the threat actor came soon after. Bloomberg yesterday.
The talks come after a Black Suit ransomware attack forced CDK to shut down its IT systems, including its car sales platform, and data centers to prevent the attack from spreading. The company tried to restore services on Wednesday, but was hit by a second cybersecurity incident, again forcing it to shut down all of its IT systems.
CDK is a Software as a Service (SaaS) provider that offers a platform that car dealerships use to run all aspects of their business, including sales, financing, inventory, service and back-office functions.
With the platform now shut down, car dealerships have had to switch to pen and paper to conduct business, and BleepingComputer has been told by car buyers that they are unable to purchase cars or get their existing cars serviced because of the outage.
Two of the largest publicly traded auto dealers, Penske Automotive Group and Sonic Automotive, also said yesterday they were affected by the outage.
“Our Premier Truck Group business utilizes CDK’s dealer management system, which is experiencing disruptions,” Penske said. SEC Filings.
“We immediately took preventative containment measures to secure our systems and began an investigation into the incident, which is ongoing. Premier Truck Group has business continuity response plans in place and continues to operate at all locations through manual or alternative processes developed to respond to incidents such as this.”
“As a result, the company experienced an outage with its CDK-hosted Dealer Management System (“DMS”), which supports critical operations of the dealership’s business, including sales, inventory, accounting functions and the customer relationship management (“CRM”) system,” Sonic Automotive reported. SEC Filings.
“All of our dealers are continuing to operate and utilizing workarounds to minimize disruption caused by the CDK outage.”
CDK also warned that threat actors are calling dealers posing as CDK representatives or affiliates in an attempt to gain unauthorized system access.
BleepingComputer has reached out to CDK to learn more about the ransomware attack but has yet to receive a response.
BlackSuit ransomware group
BlackSuit was launched in May 2023 and is believed to be a rebranding of the Royal ransomware campaign.
Royal Ransomware, and therefore BlackSuit, are believed to be the direct successor to the infamous Conti cybercrime syndicate, an organized cybercrime group made up of Russian and Eastern European threat actors.
In June 2023, the Royal Ransomware attack began testing a new encryption tool called BlackSuit after attacking the city of Dallas, Texas, amid rumors that it plans to rebrand with a new name.
Attacks using the Royal name have since ceased, with the threat actor now operating under the name BlackSuit.
In November 2023, the FBI and CISA revealed in a joint advisory that Royal and BlackSuit shared similar tactics and code overlaps in encryption techniques.
The advisory also noted that the Loyal ransomware group has attacked at least 350 organizations worldwide since September 2022, demanding ransoms of more than $275 million.