The Attack

This week, the cloud-based software-as-a-service (SaaS) company CDK Global who provides services to car dealerships was targeted in a ransomware attack from a notable Eastern European hacker group known as BlackSuit. The exact attack vectors that the threat actors took to conduct this ransomware attack are not currently known. The result of this has been a nationwide shutdown of their systems across the United States, causing approximately 15,000 car dealerships to be forced to shut down their IT systems. Some dealerships have had to resort to pen and paper to continue their business operations.

CDK attempted to restore their systems on Wednesday, only to be met with another cybersecurity incident which caused all systems to shut down again. BlackSuit is asking for tens of millions of dollars from CDK according to Bloomberg, and CDK is working with their attackers to attempt to come to a resolution. The latest update is that CDK has restored operations for some dealerships, but they are still struggling to resume all normal business.

The Damage

The damage from this attack has already been notable, with CBS reporting that the outage could result in around 100,000 fewer cars being sold in the month of June. This is more than a 7% decrease compared to this period of 2023. CDK has also made no promise that they will be able to be back up and running by the end of the month. This attack will no doubt have lasting and devastating effects on CDK’s reputation in the automotive industry. A class action lawsuit has already been filed against the organization, stating that they “Failed to protect sensitive personal information in its care from a data breach.”

The BlackSuit ransomware gang who performed this attack has made a reputation for themselves recently, breaching over 95 organizations globally according to U.S. News. Most of these organizations have been American, including the city of Dallas, Texas. They are believed to be rebranding from their previous operation known as “Royal Ransomware”. The group has most recently been linked to another ransomware attack against Japanese media conglomerate KADOKAWA who operate numerous media companies in Japan including FromSoftware, the creators of 2022’s Game of the Year winner Elden Ring.

What can we learn?

This attack serves as a cruel reminder as to how devastating a sophisticated ransomware attack can be, and organizations should prioritize being prepared for these sorts of incidents. While it is impossible to completely elimate the risk of ransomware, there are steps that we can take to prevent these attacks and recognize the potential warning signs.

One step that organizations can take to prepare is creating and maintaining an incidident response plan that addresses ransomware incidents. This includes having response and notification procedures documented, and ensure that there is a hard copy version available. Organizations can also maintain offline, encrypted backups of their critical data, and it is important to regularly test these backups to ensure that their availability.

Organizations can also take steps to prevent these types of attacks by performing regular vulnerability scanning and regularly patching and updating software to their latest versions. They also want to ensure that sensitive services such as RDP are not externally facing, and these services are limited whenever they can be. Finally, organizations can ensure that all on premises, cloud services, mobile, and personal devices are properly configures with appropriate security features.

These are just some steps that organizations can take to attempt to stop ransomware, and a more in-depth guide with recommendations and information from can be found from CISA here.

TraceSecurity recommends performing ransomware preparedness assessments or similar types of testing with your organization regularly to be better prepared for attacks such as these. Some organizations could be vulnerable to attacks such as this, and they will never know unless they conduct testing or until it is too late. Anyone can be susceptible to these types of attacks, and it is important to perform regular testing to ensure your organization is prepared.

Sources

CDK Global outage caused by BlackSuit ransomware attack (bleepingcomputer.com)

Explainer-The 'BlackSuit' Hacker Behind the CDK Global Attack Hitting US Car Dealers (usnews.com)

CDK Global outage caused by BlackSuit ransomware attack (bleepingcomputer.com)

CDK Global Data Breach Lawsuit Filed After Cyberattack Shut Down Car Dealerships Nationwide (classaction.org)

BlackSuit ransomware gang claims attack on KADOKAWA corporation (bleepingcomputer.com)

How Can I Protect Against Ransomware? | CISA

Gavin Debetaz, Information Security Analyst

Gavin has been honing his cybersecurity testing skills with TraceSecurity for almost 5 years. Starting as an Associate Information Security Analyst, he focused on performing penetration testing, vulnerability assessments, phishing, and vishing engagements. Once promoted to a full-time Information Security Analyst, Gavin now also performs IT security audits and onsite social engineering tests. He earned a Bachelor of Science in Computer Science from Louisiana State University and currently holds a certification in Security+.