According to multiple sources familiar with the matter, the BlackSuit ransomware gang is behind the massive CDK Global IT outage and outage of car dealerships across North America.
The same sources, who spoke on condition of anonymity, told BleepingComputer that CDK is currently negotiating with the ransomware gang to obtain a decryptor and not leak stolen data.
While BleepingComputer is the first to report that BlackSuit is behind the attack, news that CDK is negotiating with threat actors was revealed by Bloomberg yesterday.
The negotiations come after the BlackSuit ransomware attack forced CDK to shut down its IT systems and data centers to prevent the attack from spreading, including to its car trading platform. The company tried to restore services on Wednesday, but suffered a second cyber security incident, causing it to shut down all IT systems again.
CDK is a software-as-a-service (SaaS) provider whose platform is used by car dealerships to run all aspects of its operations, including sales, financing, inventory, service and back-office functions.
While the platform has now shut down, car sellers have had to switch to pen and paper to conduct their operations, with BleepingComputer being told by car buyers that they could not buy a car due to the outage or receive service for existing cars.
Two of the largest publicly traded auto companies, Penske Automotive Group and Sonic Automotive, revealed yesterday that they too had been affected by the outages.
“Our Premier Truck Group business uses CDK’s dealer management system which has been discontinued,” Penske said in an SEC filing.
“We immediately took preventative steps to protect our systems and began an incident investigation, the efforts of which are ongoing. Premier Truck Group has implemented its own business continuity response plans and continues to operate at all locations through manual or alternative processes developed to respond to such incidents”.
“As a result, the Company experienced disruptions to its dealer management system (“DMS”) hosted by CDK, which supports critical dealer operations, including those supporting sales, inventory and accounting functions, and its system of customer relationship management (“CRM”).” Sonic Automotive reported in an SEC filing.
“All of the Company’s vendors are open and operating using solutions to minimize the disruption caused by this CDK outage.”
CDK also warns that threat actors are calling vendors posing as CDK agents or affiliates to gain unauthorized system access.
BleepingComputer contacted CDK to learn more about the ransomware attack, but has yet to receive a response.
The BlackSuit ransomware gang
BlackSuit was launched in May 2023 and is believed to be a rebrand of Operation Royal ransomware.
Royal Ransomware, and thus BlackSuit, is believed to be the direct descendant of the infamous Conti cybercrime syndicate, an organized cybercrime gang comprised of Russian and Eastern European threat actors.
In June 2023, Operation Royal Ransomware began testing a new encryptor called BlackSuit amid rumors that they planned to rebrand with a new name after attacking the city of Dallas, Texas.
Since then, attacks under the Royal name have disappeared, with threat actors now working under the name BlackSuit.
In November 2023, the FBI and CISA revealed in a joint advisory that Royal and BlackSuit share similar tactics and coding overlays in their encryptors.
The advisory also linked the Royal Ransom Gang to attacks on at least 350 organizations worldwide since September 2022 and more than $275 million in ransom demands.