A hacking group called BlackSuit is behind the cyberattack on CDK Global that’s paralyzed car sales across the US, according to Allan Liska, a threat analyst at the security firm Recorded Future Inc.
The cybercrime group has demanded an extortion fee in the tens of millions of dollars from CDK, which plans to make the payment, Bloomberg News reported on Friday. CDK’s name was not listed Monday on the website where BlackSuit names its extortion victims, a possible indication that the company is still in negotiations with the group or that it’s paid a ransom, said Liska, who specializes in ransomware investigations and has been in discussions with those involved in the CDK case.
A CDK spokesperson declined to comment about the identity of the attackers Monday. The company expects to restore services within coming days and is working with law enforcement, according to Lisa Finney, a CDK spokesperson.
Related: Ripple Effect From CDK Hack Widens as More U.S. Auto Dealers Flag Hit
BlackSuit appears to be a group of Russian and Eastern European hackers with a history of working with a group known as Royal Ransomware, according to Jon Clay, a threat intelligence researcher at the cybersecurity firm TrendMicro. It functions as a ransomware-as-a-service gang, in which members lease their technical tools to affiliates and demand a cut of any extortion payments.
BlackSuit’s malicious software shares code with Royal Ransomware tools, according to the US Cybersecurity and Infrastructure Security Agency. The extent to which the groups are made of the same people remains unclear.
Related: CDK Tells Car Dealers Their Systems Likely Offline Several Days
Royal Ransomware targeted at least 350 victims and demanded more than $275 million in ransom fees in 2022 and 2023, according to the FBI and CISA, a unit of the Department of Homeland Security.
BlackSuit group specializes in hacking Linux and Windows systems, according to the cyber firm Tripwire Inc. The desktop wallpaper on breached computers directs to a ransom note encouraging the victim to contact the group via a site on the dark web.
Related: Cyberattack Hits Software Provider for Car Dealers Across the U.S.
The same gang previously published hundreds of files stolen from the police department in Kansas City, Kansas. Nearly 200 plasma donation centers worldwide also shut down as a result of BlackSuit’s activity in April. The group has claimed credit for attacks on a Georgia school system and for stealing more than 200 gigabytes of data from an Indiana University.
Cybersecurity news site Bleeping Computer previously reported on BlackSuit’s involvement in the CDK hack, citing unnamed sources.
Top photo: Used vehicles for sale at a dealership in Colma, California, US, on Friday, June 21, 2024. CDK Global, a software provider to some 15,000 car dealers, was waylaid by debilitating cyberattacks this week that have had a crippling effect on the auto sales industry. Photographer: David Paul Morris/Bloomberg
Was this article valuable?
Here are more articles you may enjoy.