CDK Global Begins Restoration After Cyberattacks: Reports

The maker of software used by thousands of car dealerships has reportedly been in negotiations with threat actors over a ransom payment worth tens of millions of dollars.

CDK Global has begun to restore its systems and has been in negotiations with threat actors over a ransom payment, purportedly worth tens of millions of dollars, according to media reports.

Austin, Texas-based CDK, a provider of software used by 15,000 car dealerships, shut down most of its systems after the cyberattacks struck last Tuesday and then again on Wednesday. CDK provides SaaS-based CRM, payroll, finance and other key functions for dealerships.

[Related: Change Healthcare: Patient Data Exposed In Breach Includes Medical Diagnoses, Test Results, Prescriptions]

In a recorded message for customers heard Monday, CDK said it is “continuing the restoration process of our core applications” but did not specify a timeframe for the work to be completed.

“We are working with multiple third-party experts and will share detailed plans when possible, including the sequencing of the restoration,” the company said in the message.

Late Friday, Bloomberg reported that a cybercriminal group was demanding tens of millions of dollars, and that CDK intended to pay the ransom. BleepingComputer reported Saturday that the BlackSuit ransomware group, believed to be the new name for the group known as Royal Ransomware, was behind the CDK incident.

BlackSuit had been negotiating with CDK for a payment in exchange for providing a ransomware decryptor and pledging to not leak data stolen from the company, according to BleepingComputer.

On Sunday, Bloomberg and Reuters reported that restoration efforts by CDK had begun. The restoration is expected to take “several days and not weeks,” according to a CDK statement cited by Bloomberg.

A CDK spokesperson declined to comment in an email to CRN Monday.

Pair Of Attacks

While CDK was working to recover from the first attack last week, the company was struck by a second attack late on Wednesday evening, according to CDK.

“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems,” CDK said in a statement provided to CRN Thursday.

CDK said in its recorded message that in addition to its own systems, “integration partners have disabled access and error messages may be experienced.”

The system shutdown resulted in an outage that has severely affected thousands of car dealerships. “CDK basically runs our entire store,” a staff member at a car dealership in New Castle, Pa., said in an email to CRN Friday.

A recorded message from CDK heard Friday alluded to frequent impersonation scams targeting dealership staff, with attackers posing as representatives of CDK or its affiliates in an attempt to gain credentials.

“Do not provide sensitive information such as passwords or provide system access under any circumstances,” the recorded message warned.