The recent ransomware attack on CDK Global, a leading automotive software provider, has sent shockwaves through the U.S. auto industry. At least six major automotive dealers have reported significant operational disruptions due to the cyberattack. In recent filings with the Securities and Exchange Commission, Lithia Motors, Group 1 Automotive, Penske Automotive Group, Sonic Automotive, Asbury Automotive Group, and AutoNation all confirmed the impact on their businesses.
Less than a week after CDK Global detected the breach, the company’s systems were shut down “out of an abundance of caution and concern” for their customers, according to a statement from Lisa Finney, CDK’s senior manager of external communications.
The notorious ransomware group BlackSuit has claimed responsibility for the attack, demanding tens of millions of dollars in ransom. With nearly 15,000 auto dealer locations relying on CDK’s software, the fallout is substantial.
Allan Liska, a threat intelligence analyst at Recorded Future, described BlackSuit as a “mid-sized ransomware as a service offering” but noted its history of high-profile victims. Despite the severity of the attack, neither CDK Global nor its parent company, Brookfield Business Partners, have commented on the ransom demands.
BlackSuit is believed to be a rebranded version of the infamous Royal ransomware operation, which had previously targeted over 350 victims globally, with extortion demands exceeding $275 million. Royal itself is thought to be connected to the Conti ransomware group, known for major attacks worldwide and alleged ties to Russian intelligence.
Cybersecurity experts warn that CDK Global is likely dealing with highly experienced cybercriminals skilled in negotiating large ransoms. Despite the gravity of the situation, BlackSuit has yet to post any information about CDK Global on their site, which they use to pressure victims into paying ransoms by threatening to release stolen data.
Since its emergence in early 2023, BlackSuit has claimed 76 victims, predominantly in the United States. The group’s recent activity includes posting stolen data from the Kansas City, Kansas Police Department.
As the automotive industry grapples with the consequences of this attack, the need for robust cybersecurity measures has never been clearer.
