US car dealers are feeling the pain of CDK cyberattack

At least six companies have alerted the Securities and Exchange Commission that the fallout from the ransomware attack on automotive industry software provider CDK Global has had a negative or disruptive impact on their operations, according to recent filings with the agency.

In filings made public Friday and Monday, six major automotive dealers — Lithia Motors, Group 1 Automotive, Penske Automotive Group, Sonic Automotive, Asbury Automotive Group and AutoNation — said their operations had been affected by the attack on CDK. 

The effects of the ransomware attack are being felt by U.S. car dealers less than a week after CDK detected a cyberattack and announced that “out of an abundance caution and concern” for its customers, it had “shut down most of [its] systems,” according a statement provided to CyberScoop from Lisa Finney, CDK’s senior manager of external communications.

BlackSuit, an established ransomware group, was responsible for the attack on CDK Global, the tech news site Bleeping Computer reported Saturday. On Friday, Bloomberg reported that the group involved in the attack demanded “tens of millions of dollars in ransom” from the company, which provides software to “nearly 15,000” auto dealer locations.

Allan Liska, a threat intelligence analyst at Recorded Future, told CyberScoop that BlackSuit was involved, and referred to the group as a “mid-sized ransomware as a service offering” that nevertheless has “had a number of big victims.”

Neither Finney nor Brookfield Business Partners, CDK’s parent company, responded to requests for comment on the latest fallout and payment demands Monday morning.

BlackSuit emerged as a distinct ransomware entity in early April or May of 2023, according to SentinelOne, and could be a rebrand of the dormant Royal ransomware operation. A joint November 2023 advisory from the Cybersecurity and Infrastructure Security Agency reported that Royal targeted more than 350 known victims worldwide between September 2022 and November 2023 and pushed for more than $275 million in extortion demands.

Royal is itself thought to be a rebrand of or connected to the Conti ransomware operation, said Brett Callow, threat analyst with Emsisoft. Conti, which shuttered its site in 2022, was known for major attacks around the world, and had links to the TrickBot malware operation, which the U.S. government said in September 2023 had “ties” to Russian intelligence services.

“BlackSuit is believed to be connected to the Royal operation, which was believed to be connected to the Conti operation,” Callow said, “which means CDK could well be dealing with a set of very experienced cybercriminals who are used to negotiating large demands.”

BlackSuit has yet to mention anything about CDK Global on the website it uses to post messages about alleged targets and the data of targets that did not pay. BlackSuit has claimed 76 victims since May 2023, most of them from the United States, a representative of the cybersecurity firm KELA told CyberScoop in an email Monday. According to data collected by the cybersecurity firm Check Point, the group reported on its site 18 victims in May and seven so far in June.

BlackSuit recently posted a large cache of data and internal files purportedly stolen from the Kansas City, Kan., Police Department.

This story was updated June 24, 2024, with SEC filings from fifth and sixth auto dealers impacted by the attack on CDK.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).