CDK Global was on the road to recovery after a ransomware attack – then it was hit a second time

Cars lined up and unused at a vehicle showroom after the CDK Global cyber attack impacted car dealerships across the US.
(Image credit: Getty Images)

Hot on the heels of a ransomware attack, CDK Global was breached a second time while attempting to restore systems, which security experts said highlights the importance of not rushing recovery processes.

On June 19, CDK sent a notification to dealerships warning them the company had experienced a cyber incident that forced it to take the majority of its software systems offline.

With its systems in use in over 15,000 car dealerships across North America, the incident has caused widespread disruption, forcing many to revert back to manual, pen-and-paper processes for record-keeping and administration. 

The software giant confirmed the disruption was caused by a “ransom event” after Allan Liska, a threat intelligence analyst at Recorded Future, told Bloomberg the attack was conducted by the BlackSuit ransomware gang.

The group has reportedly issued a ransom demand worth tens of millions of dollars and, according to reporting from Fortune citing a source familiar with the matter, CDK is planning on complying with the threat actor’s requests.

CDK Global is yet to confirm the identity of the group behind the attack, however, ITPro has approached the firm for clarification and whether there is any truth to claims it is planning a ransom payment.

CDK was hit during its recovery process

Aaron Walton, threat intel analyst at MDR specialist Expel, highlighted the fact that CDK was breached for a second time after briefly restoring some of its systems.

“Something we haven’t seen discussed about the CDK Global ransomware attack is that after the initial incident, the company temporarily restored some systems before threat actors took them down—again”, he explained.

“During an incident, security teams are under heavy pressure to get systems back into service; however, great care needs to be taken during an incident. The series of events in this incident suggests that the ransomware actors were aware that CDK Global restored some systems. Unfortunately, it appears the criminals were still in CDK’s network, allowing them to compromise the systems a second time.”

Walton added that threat actors prioritize maintaining persistence on the target network in order to maximize their ability to extract the ransom from their victim. 

This underscores the importance of ensuring threat actors no longer have any foothold within networks before attempting to restore compromised systems, he added.

“Victims restoring from backup threatens ransomware actors’ chances of receiving their demands. As a result, ransomware actors attempt to encrypt or delete backups to further force the hand of the victim organization to pay the ransom,” Walton said.

“Often ransomware actors will remain in the environment they’ve compromised and monitor communications from the victim. This gives the actor additional leverage and time to take preemptive action, should a victim attempt to find alternative solutions to paying the ransom.”

BlackSuit operators are likely experienced extortion specialists

BlackSuit has been recorded executing double-extortion ransomware since May 2023, according to a report on the collective from ReliaQuest. The firm added that the group predominantly targets US-based companies in critical sectors including education and industrial goods.

ReliaQuest’s investigation identified a number of common techniques leveraged by BlackSuit in its attacks, such as using tools like PsExec, remote desktop protocol (RDP), and Rubeus for lateral movement, as well as FTP for data exfiltration.

While the group’s techniques were not described as particularly novel in the report, ReliaQuest noted their continued success highlights their efficacy and the difficulty of “appropriate mitigation”.


The report underlined the fact that multiple investigations into the group, including one from the US Department of Health and Human Services, noted similarities between its TTPs and those of the Royal ransomware collective, an alleged successor to the Conti group.

ReliaQuest concluded that individuals behind BlackSuit are likely experienced operators due to the sophistication and efficacy of their techniques and choice of targets.

“The group’s pedigree, varied malware deployment methods, and advanced encryption and system recovery processes indicate that BlackSuit’s operators are likely experienced and technically proficient.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.