A hacking group called BlackSuit is behind the cyberattack on CDK Global that’s paralysed car sales across the US, according to Allan Liska, a threat analyst at the security firm Recorded Future Inc.
The cybercrime group has demanded an extortion fee in the tens of millions of dollars from CDK, which plans to make the payment, Bloomberg News reported on Friday.
CDK’s name was not listed Monday on the website where BlackSuit names its extortion victims, a possible indication that the company is still in negotiations with the group or that it’s paid a ransom, said Liska, who specializes in ransomware investigations and has been in discussions with those involved in the CDK case.
A CDK spokesperson declined to comment about the identity of the attackers Monday. The company expects to restore services within coming days and is working with law enforcement, according to Lisa Finney, a CDK spokesperson.
BlackSuit appears to be a group of Russian and Eastern European hackers with a history of working with a group known as Royal Ransomware, according to Jon Clay, a threat intelligence researcher at the cybersecurity firm TrendMicro. It functions as a ransomware-as-a-service gang, in which members leases their technical tools to affiliates and demand a cut of any extortion payments.
BlackSuit’s malicious software shares code with Royal Ransomware tools, according to the US Cybersecurity and Infrastructure Security Agency. The extent to which the groups are made of the same people remains unclear.
Royal Ransomware targeted at least 350 victims and demanded more than $275 million (R5 billion) in ransom fees in 2022 and 2023, according to the FBI and CISA, a unit of the Department of Homeland Security.
BlackSuit group specialises in hacking Linux and Windows systems, according to the cyber firm Tripwire Inc. The desktop wallpaper on breached computers directs to a ransom note encouraging the victim to contact the group via a site on the dark web.
The same gang previously published hundreds of files stolen from the police department in Kansas City, Kansas. Nearly 200 plasma donation centres worldwide also shut down as a result of BlackSuit’s activity in April. The group has claimed credit for attacks on a Georgia school system and for stealing more than 200 gigabytes of data from an Indiana University.
Cybersecurity news site Bleeping Computer previously reported on BlackSuit’s involvement in the CDK hack, citing unnamed sources.
BLOOMBERG