CDK to pay ransom attacker BlackSuit as US car dealers struggle

Auto dealers across North America continue to grapple with the fallout from last week's cyberattack on automotive software provider CDK Global. This is as the BlackSuit hacker group steps forward with a reported $10 million ransom demand.

CDK put out an updated statement to dealerships on Monday that it's “continuing the restoration process of our core applications.”

The San Jose, California-based tech company said it was “working with multiple third-party experts” and would share more details about “the sequencing” of the restoration process when possible, but did not give any specifics.

On Sunday, CDK had announced to customers it expected the process to take “several days” to complete – a fast-turnaround considering last Wednesday’s ransomware attack forced the company to shut down its entire network leaving over 15,000 auto dealers in the lurch.

Apparently as CDK was attempting to recover from the Wednesday daytime cyber incident, it was hit by another attack later that evening.

“CDK is suffering from not one, but two cyberattacks that have caused the SaaS provider to shut down IT systems. Given the extensive reliance on this third-party vendor, the fallout from this attack reverberates throughout the entire automotive industry, “ said Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.

BlackSuit takes claim

One reason for the seemingly shortened restoration timeline given by CDK (most recovery efforts take weeks, if not months) may be attributed to rumors that the software provider is planning to pay off the ransomware group responsible for the shutdown.

Bloomberg News reported Monday that the BlackSuit ransomware cartel was behind the attack on CDK Global, citing a threat analyst at security firm Recorded Future.

The ransom demand? A reported $10 million, according to Bloomberg. Furthermore, an anonymous source, as reported by Fortune, said that CDK will make the payment, although the source also said discussions were fluid, and the situation could change.

Other rumors floating on X have reported the demand has raised to $50 million over the weekend.

“[BlackSuit ] are holding out for a $50M+ ransom. Semyuel Hydeski (pictured below), the leader of the group, says ransom will increase $10M every day #cdkglobal refuses to pay,” according to one X user.

Days of disruption

Thousands of auto retailers rely on CDK’s Dealer Management System (DMS) software to complete deals, provide financing to customers, track store profitability, and monitor employee compensation.

The disruption has "plunged the auto retail industry into disarray," JPMorgan analysts said last week.

Zeroing in on the impact of “industry consolidation,” Costis explained the "incident underscores the need to fortify security measures and heighten visibility not only across one's own system but also the third-party providers they rely on.”

“The intricate interconnectedness of ecosystems implies that a breach of one third-party provider, such as CDK, can trigger a cascade effect across the organizations it serves,” he said.

Costis says by leveraging automated solutions to continuously test security defenses, “organizations can identify vulnerabilities across their entire system, enhancing threat-informed incident responses.”

Two leading US retailers, AutoNation and Group 1 Automotive, were greatly impacted and released statements on operations.

AutoNation said the outage was disruptive and had adversely impacted its business, though its outlets remain open, continuing to sell, service, and buy vehicles.

Group 1, an international automotive retailer with 150 locations across the US, said it had immediately taken additional steps to “protect and isolate its systems from CDK's platform.”

“Despite the CDK service outage, all Group 1 U.S. dealerships continue to conduct business using alternative processes until CDK's dealers' systems are available,” it said.

Group 1 Automotive on CDK hack
Image by Cybernews

The Fortune 500 company also stated its dealerships in the UK had not been affected because they do not use CDK systems.

Both AutoNation and Group 1 further said they had resorted to using manual paperwork to conduct their business. The companies also stressed they had taken precautionary steps to protect their data.

Dealerships across the nation say the CDK outage was likely to have a negative impact on its business operations until the systems were fully restored, with some analysts predicting further financial implications for the industry.

Last week, CDK also warned its customers to be on the alert of email phishing and vishing scams targeting staff in an attempt to gain access to log in credentials.

"We are continuing to actively engage with our customers and provide them with alternate ways to conduct business," CDK said in an emailed statement to Reuters.

Who is BlackSuit?

The BlackSuit ransomware cartel – formally the Royal cybercriminal gang that rebranded this past November – is mostly known for targeting the educational and municipal sectors in the US.

The gang emerged on the cyber scene in early 2022 after claiming the UK’s Silverstone Formula One motor racing circuit.

By the end of 2023, BlackSuit had extorted more than $275 million from at least 350 known victims, according to the US Cybersecurity and Security Infrastructure Agency (CISA).

More recent victims include South Carolina’s Kershaw County School District and the Kansas City Police Department.

Kansas BlackSuit
Image by Cybernews

The gang Infamously hacked the City of Dallas, Texas last spring, shutting down the municipality for weeks and affecting the Dallas Police and Fire Departments.

Notorious for data exfiltration and extortion prior to encryption, the group is known to publish the data of victims who don’t pay up.

BlackSuit is also said to be made up of a hodge podge of former threat actors from other Russian-linked cyber gangs, including the Conti group, and before creating their own Royal ransomware, would utilize other third-party variants including BlackCat and Zeon.

The gang's ransom demands have ranged from approximately $1 million to $11 million in Bitcoin, CISA said, putting CDK Global on the top end of the ransom demand spectrum.