Special Features

Malware Month

Car dealer software slinger CDK Global said to have paid $25M ransom after cyberattack

15K dealerships take estimated $600M+ hit


CDK Global reportedly paid a $25 million ransom in Bitcoin after its servers were knocked offline by crippling ransomware.

Last week, CDK restored services to car dealerships across the US after a two-week outage caused by a "cyber incident" that looked a lot like a ransomware infection. The shutdown of CDK's software platform caused chaos for up to 15,000 car dealerships, including the Asbury, AutoNation, Group 1, Lithia, and Sonic chains, stopping sales going through and registrations being filed in some states.

CDK hasn't yet disclosed how exactly it was able to get its business back online, but CNN cites sources who claim the software firm had to pay a ransom of $25 million to the ransomware's operators.

Crypto forensics firm TRM Labs meanwhile says it spotted the 387 Bitcoin transaction going into an account said to be controlled by criminals that deploy ransomware known as BlackSuit, the same group that hit Octapharma Plasma in April. The Bitcoins didn't come from CDK directly, and instead from a firm that specializes in dealing with cyber-ransom demands, it's claimed.

The ransom was actually paid just two days after the attack, we're told. That would suggest CDK perhaps coughed up, as claimed, straight away to persuade the extortionists to not leak any data stolen during the infection and to just back off, and that it subsequently took several days to rebuild and restore service. CDK may have been able to restore from backups and/or may have needed some information on computers encrypted by the ransomware, adding time to recovery. There are still a lot of unknowns.

It's generally a good idea to wipe or replace compromised machines, even if you've paid a ransom to decrypt and prevent the leak of any exfiltrated data, which will usually delay a restart of operations.

Nowadays, most ransomware victims don't pay their attackers, with just 29 percent having coughed up in Q4 last year. The miscreants who shook down CDK did relatively well for themselves, earning more than the outfit that extorted Change Healthcare for $22 million.

Still, $25 million is apparently nothing to the industry-wide damages that this incident caused. Anderson Economic Group claims the total financial damage to dealers in the first two weeks of the shutdown is just over $600 million, or 24 times the ransom. And that may be underestimating the effects, since that figure doesn't include hard-to-quantify factors such as cost to reputation, peeved customers, and the legal ramifications of such an outage.

Plus, the entire situation still may not be resolved according to an 8-K filing by Sonic Automotive to America's financial watchdog, the SEC. "Other affected systems, including the CRM and certain functions of the DMS, remain offline as the company continues to investigate and test such systems," the dealer network said.

"Additionally, some third-party applications typically accessible through the affected systems also remain offline. The timing of restoration of full access to all affected Systems remains unclear."

CDK has so far declined to comment. ®

Send us news
16 Comments

Cicada ransomware may be a BlackCat/ALPHV rebrand and upgrade

Researchers find many similarities, and nasty new customizations such as embedded compromised user credentials

Cyber crooks shut down UK, US schools, thousands of kids affected

No class: Black Suit ransomware gang boasts of 200GB haul from one raid

Major sales and ops overhaul leads to much more activity ... for Meow ransomware gang

You hate to see it

So you paid a ransom demand … and now the decryptor doesn't work

A really big oh sh*t moment, for sure

Crypto scams rake in $5.6B a year for cyberscum lowlifes, FBI says

Elderly people report the greatest losses

Hunters International cyber-gang extorts Chinese mega-bank's London HQ

Allegedly swiped more than 5.2M files and threatens to publish the lot

RansomHub hits 210 victims in just 6 months

The ransomware gang recruits high-profile affiliates from LockBit and ALPHV

Ransomware batters critical industries, but takedowns hint at relief

Whether attack slowdown continues downward trend is the million dollar question that security researchers can't answer

Brain Cipher claims attack on Olympic venue, promises 300 GB data leak

French police reckon financial system targeted during Summer Games

Alleged Karakut ransomware scumbag charged in US

Plus: Microsoft issues workaround for dual-boot crashes; ARRL cops to ransom payment, and more

Healthcare giant to pay $65M settlement after crooks stole and leaked nude patient pics

Would paying a ransom – or better security – have been cheaper and safer?

Predator spyware updated with dangerous new features, also now harder to track

Plus: Trump family X accounts hijacked to promote crypto scam; Fog ransomware spreads; Hijacked PyPI packages; and more