CDK Paid $25 Million Ransom To Expedite Recovery After Attacks: Report

The IT systems outage for car dealerships caused by a mid-June ransomware attack still lasted two weeks.

CDK Global reportedly paid $25 million to cybercriminals after a mid-June ransomware attack disrupted business for thousands of car dealerships.

According to a report from CNN citing multiple sources, software maker CDK paid the ransom to accelerate the recovery and end the outage following the attack that began June 18.

CRN has reached out to CDK for comment.

Restoration began early the following week after the ransomware attack — and on July 2, CDK said that “substantially all” of the car dealerships it serves were back online.

In a recorded message for customers heard that day, the company indicated that it expected to soon complete the restoration process for the thousands of dealerships who use its platform, saying most were already reconnected on its Dealer Management System (DMS).

“We are happy to report that we are ahead of the anticipated schedule and as of now substantially all dealer connections are live on the core DMS,” the company said in the recorded message on July 2.

Austin, Texas-based CDK has not responded to subsequent requests for comment on the status of the restoration process. The phone line that had been providing updates to customers has been disconnected.

CDK, a provider of software used by 15,000 dealerships, shut down most of its systems after cyberattacks struck on June 18 and 19.

CDK provides SaaS-based CRM, payroll, finance and other key functions for car dealerships, leading to widely felt disruption in the wake of the attacks. A forecast issued by J.D. Power and GlobalData indicated that total new-vehicle sales for June were expected to drop by as much as 7.2 percent from the same month a year earlier, in the wake of the CDK disruptions.

A previous Bloomberg report indicated that the company was planning to make a ransom payment, purportedly worth tens of millions of dollars, with the goal of recovering its systems more quickly.

BleepingComputer reported previously that the BlackSuit ransomware group, believed to be the new name for the group known as Royal Ransomware, was behind the CDK incident.

BlackSuit had been negotiating with CDK for a payment in exchange for providing a ransomware decryptor and pledging to not leak data stolen from the company, according to the previous BleepingComputer report.

Following on the heels of ransomware attacks against prescription processor Change Healthcare and health system Ascension—both of which had massive impacts beyond the companies themselves—the CDK attack has added to questions about whether threat actors are now intentionally aiming to maximize societal disruption.