CDK Global reportedly paid a $25 million ransom to cybercriminals after a mid-June ransomware attack disrupted business for thousands of car dealerships. This hefty payment was made to accelerate the recovery process and end the outage, which began on June 18, causing significant disruptions.

According to a CNN report citing multiple sources, CDK Global paid the ransom to restore operations swiftly. The ransomware attack resulted in a two-week IT systems outage for car dealerships. Restoration efforts began early the following week, and by July 2, CDK announced that “substantially all” of the car dealerships it serves were back online.

In a recorded message for customers on July 2, CDK indicated that most dealerships using its Dealer Management System (DMS) were reconnected. “We are happy to report that we are ahead of the anticipated schedule and as of now substantially all dealer connections are live on the core DMS,” the company stated.

Continued Silence from CDK

Austin, Texas-based CDK has not responded to further requests for comment on the status of the restoration process. Additionally, the phone line that had been providing updates to customers has been disconnected. 

CDK Global, a provider of software solutions for 15,000 dealerships, had to shut down most of its systems following cyberattacks on June 18 and 19. Offering SaaS-based CRM, payroll, finance, and other essential functions, CDK’s shutdown caused widespread disruption across the automotive industry. The disruption caused by the attack was significant. A forecast issued by J.D. Power and GlobalData suggested that total new-vehicle sales for June could drop by as much as 7.2 percent compared to the same month the previous year. This anticipated decline highlights the widespread impact of the CDK disruptions on the automotive industry.

Ransom Negotiations

A previous Bloomberg report indicated that CDK was planning to make a ransom payment worth tens of millions of dollars to expedite system recovery. BleepingComputer reported that the BlackSuit ransomware group, believed to be the rebranded Royal Ransomware group, was behind the incident. BlackSuit had been negotiating with CDK, offering a ransomware decryptor and a pledge not to leak stolen data in exchange for the ransom.

The CDK attack, following similar ransomware incidents affecting Change Healthcare and health system Ascension, raises concerns about whether cybercriminals are intentionally aiming to maximize societal disruption. These attacks have had massive impacts beyond the targeted companies, prompting questions about the growing threat posed by ransomware groups. CDK Global’s response to the ransomware attack underscores the significant challenges businesses face in protecting their IT infrastructure from cyber threats and the extreme measures sometimes required to restore operations after a breach.