The BlackSuit ransomware gang is behind CDK International’s large IT outage and disruption to automobile dealerships throughout North America, in keeping with a number of sources acquainted with the matter.
The identical sources, who supplied data on situation of anonymity, advised BleepingComputer that CDK is at present negotiating with the ransomware gang to obtain a decryptor and never leak stolen information.
Whereas BleepingComputer is the primary to report that BlackSuit is behind the assault, the information that CDK is negotiating with menace actors was revealed by Bloomberg yesterday.
The negotiations come after the BlackSuit ransomware assault compelled CDK to close down its IT programs and information facilities to stop the assault’s unfold, together with its automobile dealership platform. The corporate tried restoring companies on Wednesday however suffered a second cybersecurity incident, inflicting it to close down all IT programs once more.
CDK is a software-as-a-service (SaaS) supplier whose platform is utilized by automobile dealerships to run all facets of its operation, together with gross sales, financing, stock, service, and again workplace capabilities.
Because the platform is now shut down, automobile dealerships have needed to swap to pen and paper to conduct their operations, with BleepingComputer advised by automobile patrons that they may not buy a automobile because of the outage or obtain service for current vehicles.
Two of the most important public automobile dealership corporations, Penske Automotive Group and Sonic Automotive, disclosed yesterday that they, too, had been impacted by the outages.
“Our Premier Truck Group enterprise makes use of CDK’s seller administration system which has been disrupted,” Penske shared in an SEC submitting.
“We instantly took precautionary containment steps to guard our programs and commenced an investigation of the incident, which efforts are ongoing. Premier Truck Group has carried out its enterprise continuity response plans and continues to function in any respect areas by way of guide or alternate processes developed to reply to such incidents.”
“Because of this, the Firm skilled disruptions to its seller administration system (“DMS”) hosted by CDK, which helps essential dealership operations together with these supporting gross sales, stock and accounting capabilities and its buyer relationship administration (“CRM”) system,” reported Sonic Automotive in an SEC submitting.
“The entire Firm’s dealerships are open and working using workaround options to reduce the disruption brought on by this CDK outage.”
CDK additionally warns that menace actors are calling dealerships posing as CDK brokers or associates to realize unauthorized programs entry.
BleepingComputer contacted CDK to study extra concerning the ransomware assault however has not obtained a response but.
The BlackSuit ransomware gang
BlackSuit launched in Could 2023 and is believed to be a rebrand of the Royal ransomware operation.
Royal Ransomware, and thus BlackSuit, is believed to be the direct successor of the infamous Conti cybercrime syndicate, an organized cybercrime gang comprised of Russian and Japanese European menace actors.
In June 2023, the Royal Ransomware operation started testing a brand new encryptor referred to as BlackSuit amid rumors that they deliberate to rebrand underneath a brand new title after they attacked the Metropolis of Dallas, Texas.
Since then, assaults underneath the Royal title have disappeared, with the menace actors now working underneath the BlackSuit title.
In November 2023, the FBI and CISA revealed in a joint advisory that Royal and BlackSuit share comparable techniques and coding overlaps of their encryptors.
The advisory additionally linked the Royal ransomware gang to assaults on no less than 350 organizations worldwide since September 2022 and greater than $275 million in ransom calls for.