BlackSuit Cybercrime Gang Blamed in CDK Hack That Roiled Car Dealers

(Bloomberg) -- A hacking group called BlackSuit is behind the cyberattack on CDK Global that’s paralyzed car sales across the US, according to Allan Liska, a threat analyst at the security firm Recorded Future Inc.

Most Read from Bloomberg

• Supreme Court Poised to Allow Emergency Abortions in Idaho

• SpaceX Tender Offer Said to Value Company at Record $210 Billion

• Bolivia’s President Arce Swears in New Army Chief After Coup Bid

• China’s Finance Elite Face $400,000 Pay Cap, Bonus Clawbacks

• Supreme Court Ends OxyContin Settlement, Cracking Sackler Shield

The cybercrime group has demanded an extortion fee in the tens of millions of dollars from CDK, which plans to make the payment, Bloomberg News reported on Friday. CDK’s name was not listed Monday on the website where BlackSuit names its extortion victims, a possible indication that the company is still in negotiations with the group or has paid a ransom, said Liska, who specializes in ransomware investigations and has been in discussions with those involved in the CDK case.

CDK declined to comment about the identity of the attackers Monday. The company expects to restore services within the coming days and is working with law enforcement, company spokesperson Lisa Finney said.

The US Department of Health and Human Services recently declared in an alert that BlackSuit should be “closely watched” as a threat, in part because of the gang’s association with other extortion groups. It uses malware and attack techniques that are remarkably similar to the defunct Russian-speaking Conti gang, suggesting to cyber researchers that BlackSuit is partly made up of experienced Russian hackers.

The group functions as a ransomware-as-a-service gang, in which members lease their technical tools to affiliates and demand a cut of any extortion payments.

BlackSuit has potential ties with another group known as Royal Ransomware, according to Jon Clay, a threat intelligence researcher at the cybersecurity firm TrendMicro.

BlackSuit’s malicious software shares code with Royal Ransomware tools, according to the US Cybersecurity and Infrastructure Security Agency. The extent to which the groups are made of the same people remains unclear.

Royal Ransomware targeted at least 350 victims and demanded more than $275 million in ransom fees in 2022 and 2023, according to the FBI and CISA, a unit of the Department of Homeland Security.

BlackSuit meanwhile specializes in hacking Linux and Windows systems, according to the cyber firm Tripwire Inc. The desktop wallpaper on breached computers directs to a ransom note encouraging the victim to contact the group via a site on the dark web.

The same gang previously published hundreds of files stolen from the police department in Kansas City, Kansas. Nearly 200 plasma donation centers worldwide also shut down as a result of BlackSuit’s activity in April. The group has claimed credit for attacks on a Georgia school system and for stealing more than 200 gigabytes of data from an Indiana University.

Cybersecurity news site Bleeping Computer previously reported on BlackSuit’s involvement in the CDK hack, citing unnamed sources.

--With assistance from Jake Bleiberg.

(Updates with US alert in fourth paragraph)

Most Read from Bloomberg Businessweek

• The FBI’s Star Cooperator May Have Been Running New Scams All Along

• RTO Mandates Are Killing the Euphoric Work-Life Balance Some Moms Found

• Surging Returns Lure Private Equity Giants to India

• How Glossier Turned a Viral Moment for ‘You’ Perfume Into a Lasting Business

• Musk’s Population Obsession Comes With a Dark History

©2024 Bloomberg L.P.