The BlackSuit ransomware gang is behind CDK World’s huge IT outage and disruption to automobile dealerships throughout North America, based on a number of sources conversant in the matter.
The identical sources, who supplied data on situation of anonymity, advised BleepingComputer that CDK is presently negotiating with the ransomware gang to obtain a decryptor and never leak stolen information.
Whereas BleepingComputer is the primary to report that BlackSuit is behind the assault, the information that CDK is negotiating with menace actors was revealed by Bloomberg yesterday.
The negotiations come after the BlackSuit ransomware assault pressured CDK to close down its IT methods and information facilities to stop the assault’s unfold, together with its automobile dealership platform. The corporate tried restoring companies on Wednesday however suffered a second cybersecurity incident, inflicting it to close down all IT methods once more.
CDK is a software-as-a-service (SaaS) supplier whose platform is utilized by automobile dealerships to run all points of its operation, together with gross sales, financing, stock, service, and again workplace capabilities.
Because the platform is now shut down, automobile dealerships have needed to swap to pen and paper to conduct their operations, with BleepingComputer advised by automobile consumers that they might not buy a automobile because of the outage or obtain service for current automobiles.
Two of the most important public automobile dealership corporations, Penske Automotive Group and Sonic Automotive, disclosed yesterday that they, too, had been impacted by the outages.
“Our Premier Truck Group enterprise makes use of CDK’s vendor administration system which has been disrupted,” Penske shared in an SEC submitting.
“We instantly took precautionary containment steps to guard our methods and commenced an investigation of the incident, which efforts are ongoing. Premier Truck Group has carried out its enterprise continuity response plans and continues to function in any respect areas by guide or alternate processes developed to answer such incidents.”
“In consequence, the Firm skilled disruptions to its vendor administration system (“DMS”) hosted by CDK, which helps important dealership operations together with these supporting gross sales, stock and accounting capabilities and its buyer relationship administration (“CRM”) system,” reported Sonic Automotive in an SEC submitting.
“All the Firm’s dealerships are open and working using workaround options to reduce the disruption attributable to this CDK outage.”
CDK additionally warns that menace actors are calling dealerships posing as CDK brokers or associates to achieve unauthorized methods entry.
BleepingComputer contacted CDK to be taught extra concerning the ransomware assault however has not obtained a response but.
The BlackSuit ransomware gang
BlackSuit launched in Could 2023 and is believed to be a rebrand of the Royal ransomware operation.
Royal Ransomware, and thus BlackSuit, is believed to be the direct successor of the infamous Conti cybercrime syndicate, an organized cybercrime gang comprised of Russian and Japanese European menace actors.
In June 2023, the Royal Ransomware operation started testing a brand new encryptor referred to as BlackSuit amid rumors that they deliberate to rebrand beneath a brand new title after they attacked the Metropolis of Dallas, Texas.
Since then, assaults beneath the Royal title have disappeared, with the menace actors now working beneath the BlackSuit title.
In November 2023, the FBI and CISA revealed in a joint advisory that Royal and BlackSuit share related ways and coding overlaps of their encryptors.
The advisory additionally linked the Royal ransomware gang to assaults on a minimum of 350 organizations worldwide since September 2022 and greater than $275 million in ransom calls for.