CDK Global outage has been caused by a massive BlackSuit ransomware attack, significantly disrupting car dealerships across North America. According to multiple sources who requested anonymity, CDK Global is currently negotiating with the BlackSuit ransomware gang to receive a decryptor and prevent the leak of stolen data. BleepingComputer was the first to report that BlackSuit is responsible for the attack, while Bloomberg earlier revealed the ongoing negotiations between CDK and the threat actors.

The ransomware attack forced CDK Global to shut down its IT systems and data centers, including its car dealership platform, to contain the spread. Despite attempts to restore services on 19 June 2024, CDK experienced a second cybersecurity incident, necessitating another shutdown. CDK is a software-as-a-service (SaaS) provider whose platform is essential for car dealerships, covering sales, financing, inventory, service, and back-office functions. With the platform offline, dealerships have reverted to pen and paper, impacting car purchases and services.

Major public car dealership companies, Penske Automotive Group and Sonic Automotive, have also been affected. Penske disclosed in an SEC filing that their Premier Truck Group business, which relies on CDK’s dealer management system (DMS), experienced disruptions. They implemented precautionary steps and business continuity plans to operate manually. Sonic Automotive similarly reported disruptions to their DMS and customer relationship management (CRM) systems, stating that all dealerships remain operational using workaround solutions.

CDK Global warned that threat actors are impersonating CDK agents to gain unauthorized access to systems. Efforts to learn more about the attack from CDK have yet to yield a response.

The BlackSuit ransomware gang, which launched in May 2023, is believed to be a rebrand of the Royal ransomware operation, itself a successor to the notorious Conti cybercrime syndicate. The Royal ransomware gang has been linked to numerous attacks and significant ransom demands. Following the City of Dallas attack, the Royal operation began testing a new encryptor, BlackSuit, and has since rebranded under this new name. The FBI and CISA noted in a November 2023 advisory that Royal and BlackSuit share similar tactics and encryptor coding, linking them to over 350 attacks and $275 million in ransom demands since September 2022.