Article Details

CDK Global says all dealers will be back online by Thursday. CDK Global says that its dealer management system (DMS), impacted by a massive IT outage following a June 18th ransomware attack, will be back online by Thursday for all car dealerships. The company is also working on restoring access to other affected applications, including its Customer Relationship Management (CRM), ONE-EIGHTY, and Service solutions. "We are continuing our phased approach to the restoration process and are rapidly bringing dealers live on the Dealer Management System (DMS)," CDK spokesperson Lisa Finney told BleepingComputer. "We anticipate all dealers connections will be live by late Wednesday, July 3 or early morning Thursday, July 4." The software-as-a-service (SaaS) provider's platform is used by over 15,000 car dealerships across North America to run their operations, including sales, financing, inventory, service, and back-office functions. Because of the widespread outage after last month's attack that forced CDK to shut down its IT systems and data centers, car dealerships using the company's dealer management system have had to switch to pen and paper, and buyers were unable to purchase cars or receive service for already-bought vehicles. While trying to restore service, CDK suffered a second cyberattack, which again forced it to take down all IT systems and login systems to contain the breach. CDK also warned two weeks ago that threat actors are now calling dealerships posing as CDK affiliates or agents to gain unauthorized access to their systems. BlackSuit ransomware attack While the company has yet to reveal who was behind the June breach, multiple sources familiar with the matter have told BleepingComputer that the BlackSuit ransomware gang was behind CDK Global's massive IT outage that disrupted car dealership disruptions across North America. The same sources also told BleepingComputer that the company was negotiating with the ransomware group to receive a decryptor and prevent data stolen during the attack from being leaked online. BlackSuit surfaced in May 2023 and is believed to be a rebrand of the Royal ransomware operation and the direct successor of the notorious Conti cybercrime syndicate. In June 2023, after attacking the City of Dallas, Texas, the Royal Ransomware operation started testing a new encryptor called BlackSuit amid rebranding rumors. Since then, the threat actors have been working under the BlackSuit name, with Royal Ransomware attacks stopping altogether. A joint advisory from the FBI and CISA revealed in November 2023 that Royal and BlackSuit share similar tactics, while their encryptors exhibit obvious coding overlaps. The same advisory linked the Royal ransomware gang to attacks against over 350 organizations worldwide since September 2022 and over $275 million in ransom demands.