US car dealers are feeling the pain of CDK cyberattack | CyberScoop<\/title> <meta name=\"description\" content=\"A handful of major U.S. auto dealers said their business operations have been affected by a ransomware incident on the key software provider. \"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cdk-ransomware-car-dealers\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"US car dealers are feeling the pain of CDK cyberattack\"> <meta property=\"og:description\" content=\"A handful of major U.S. auto dealers said their business operations have been affected by a ransomware incident on the key software provider. \"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cdk-ransomware-car-dealers\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-06-24T18:47:45+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1278\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"eliasgroll\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1719249387g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1718292839g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1716385020g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80796\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5.4\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80796\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcdk-ransomware-car-dealers%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcdk-ransomware-car-dealers%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80796 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cdk-ransomware-car-dealers\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.866946778711\">\n<div class=\"single-article__header-content\" readability=\"29.962343096234\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> A handful of major U.S. auto dealers said their business operations have been affected by a ransomware incident on the key software provider. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg?resize=768,511 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg?resize=1024,682 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg?resize=1536,1022 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg?resize=600,399 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg?resize=1014,675 1014w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-2.jpg?resize=1266,843 1266w\" sizes=\"(max-width: 1014px) 100vw, 1014px\"><figcaption> A car hauler passes a Chevrolet dealership on June 20, 2024 in Chicago, Illinois. (Photo by Scott Olson\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"36.396425555868\"><body readability=\"72.999401376833\"><\/p>\n<p>At least four companies have alerted the Securities and Exchange Commission that the fallout from the ransomware attack on automotive industry software provider CDK Global has had a negative or disruptive impact on their operations, according to recent filings with the agency.<\/p>\n<p>In filings made public Friday and Monday, four major automotive dealers \u2014 <a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/1023128\/000102312824000079\/lad-20240619.htm\">Lithia Motors<\/a>, <a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/1031203\/000103120324000048\/gpi-20240619.htm\">Group 1 Automotive<\/a>, <a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/1019849\/000101984924000089\/pag-20240619.htm\">Penske Automotive Group<\/a> and <a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/1043509\/000104350924000059\/sah-20240619.htm\">Sonic Automotive<\/a> \u2014 said their operations had been affected by the attack on CDK. <\/p>\n<p>The effects of the ransomware attack are being felt by U.S. car dealers less than a week after CDK detected a cyberattack and announced that \u201cout of an abundance caution and concern\u201d for its customers, it had \u201cshut down most of [its] systems,\u201d according a statement provided to CyberScoop from Lisa Finney, CDK\u2019s senior manager of external communications.<\/p>\n<p>BlackSuit, an established ransomware group, was responsible for the attack on CDK Global, the tech news site Bleeping Computer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cdk-global-outage-caused-by-blacksuit-ransomware-attack\/\">reported Saturday<\/a>. On Friday, <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2024-06-21\/cdk-hackers-want-millions-in-ransom-to-end-car-dealership-outage\">Bloomberg reported<\/a> that the group involved in the attack demanded \u201ctens of millions of dollars in ransom\u201d from the company, which provides software to \u201c<a href=\"https:\/\/www.cdkglobal.com\/\">nearly 15,000<\/a>\u201d auto dealer locations.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Allan Liska, a threat intelligence analyst at Recorded Future, told CyberScoop that BlackSuit was involved, and referred to the group as a \u201cmid-sized ransomware as a service offering\u201d that nevertheless has \u201chad a number of big victims.\u201d<\/p>\n<p>Neither Finney nor Brookfield Business Partners, CDK\u2019s parent company, responded to requests for comment on the latest fallout and payment demands Monday morning.<\/p>\n<p>BlackSuit emerged as a distinct ransomware entity in early April or May of 2023, <a href=\"https:\/\/www.sentinelone.com\/anthology\/blacksuit\/\">according to SentinelOne<\/a>, and could be a rebrand of the dormant Royal ransomware operation. A joint November 2023 <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-061a\">advisory from the Cybersecurity and Infrastructure Security Agency<\/a> reported that Royal targeted more than 350 known victims worldwide between September 2022 and November 2023 and pushed for more than $275 million in extortion demands.<\/p>\n<p>Royal is itself thought to be a rebrand of or connected to the Conti ransomware operation, said Brett Callow, threat analyst with Emsisoft. Conti, which shuttered its site in 2022, was known for major attacks around the world, and had links to the TrickBot malware operation, which the U.S. government <a href=\"https:\/\/cyberscoop.com\/us-uk-sanctions-trickbot-russia\/\">said in September 2023 had \u201cties\u201d to Russian intelligence services<\/a>.<\/p>\n<p>\u201cBlackSuit is believed to be connected to the Royal operation, which was believed to be connected to the Conti operation,\u201d Callow said, \u201cwhich means CDK could well be dealing with a set of very experienced cybercriminals who are used to negotiating large demands.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>BlackSuit has yet to mention anything about CDK Global on the website it uses to post messages about alleged targets and the data of targets that did not pay. BlackSuit has claimed 76 victims since May 2023, most of them from the United States, a representative of the cybersecurity firm KELA told CyberScoop in an email Monday. According to data collected by the cybersecurity firm Check Point, the group reported on its site 18 victims in May and seven so far in June.<\/p>\n<p>BlackSuit recently posted a large cache of data and internal files purportedly <a href=\"https:\/\/statescoop.com\/blacksuit-ransomware-kansas-city-2024\/\">stolen from the Kansas City, Kan., Police Department<\/a>.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.2867298578199\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cdk-ransomware-car-dealers\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>US car dealers are feeling the pain of CDK cyberattack<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2244,282,78,281,46],"tags":[2245,286,86,285,54],"class_list":["post-4160","post","type-post","status-publish","format-standard","hentry","category-car","category-cybercrime","category-cybersecurity","category-hacking","category-ransomware","tag-car","tag-cybercrime","tag-cybersecurity","tag-hacking","tag-ransomware"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/car\/\" rel=\"category tag\">car<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a>","tag_info":"ransomware","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4160"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4160\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":4160,"date":"2024-06-24T13:47:45","date_gmt":"2024-06-24T18:47:45","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80796"},"modified":"2024-06-24T13:47:45","modified_gmt":"2024-06-24T18:47:45","slug":"us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/06\/24\/us-car-dealers-are-feeling-the-pain-of-cdk-cyberattack\/","title":{"rendered":"US car dealers are feeling the pain of CDK cyberattack"},"content":{"rendered":"