CDK Ransomware Attack: A Comprehensive Overview

CDK Ransomware Attack A Comprehensive Overview Informed

Understanding the CDK Ransomware Attack

Recently, CDK faced a severe ransomware attack characterized by double extortion tactics. This method involves threat actors encrypting and stealing data, then threatening to leak the information if the ransom is not paid. The attack significantly impacted CDK, which is finally in the recovery phase. In the meantime, they are advising customers to resort to manual processes while they negotiate with the attackers to obtain decryption keys. Dealers are now starting to come back online.

The Ripple Effect on Disaster Recovery and Supply Chain

The incident underscores the critical importance of robust disaster recovery plans and highlights vulnerabilities of single points of failure within the supply chain. The likely threat vector for this attack was identified as phishing, a common but effective method for initiating such breaches.

Response and Mitigation Efforts

In response to the attack, businesses utilizing CDK’s services have severed access to prevent further infiltration. CDK will likely engage a cybersecurity firm such as Mandiant, to conduct a thorough forensic investigation and breach assessment. Before resuming access, organizations should request a letter of attestation from CDK, ensuring that the threat has been mitigated. Ensuring the right people, process and technologies are in place and tools like Trellix XDR, to prevent, detect, and respond to these types of attack, can help smaller dealerships.

Timeline of Events

  • June 19: CDK announced the cyberattack and initiated a precautionary shutdown.
  • June 21: Bloomberg reported that a hacker group was demanding ransom.
  • June 25: CDK projected that services would be down until June 30.
  • June 30: Some dealerships managed to resume operations, but not all were fully operational.
  • July 1: CDK announces that all dealers will be back online by July 3

Identifying the Threat Actor: Blacksuit

The attack has been attributed to Blacksuit, a sophisticated threat actor known for its double extortion strategies. Blacksuit, a rebrand of the notorious Conti group, is infamous for encrypting and stealing data, and demanding ransoms ranging from $45 million to over $90 million. Typically, they provide decryption keys upon receiving the ransom. Customers should still be cautious with their data and review their credit monthly.

Customer Notifications and Liability

CDK has alerted customers about threat actors posing as CDK agents to gain unauthorized access. Both CDK and the affected dealerships bear the responsibility of notifying customers about the data breach. Additionally, auditors will evaluate the measures taken during and after the attack to ensure compliance and security. Lithia reported to be up and running.

Actionable Follow-Ups for Dealerships and Third Parties

In light of the CDK ransomware attack, dealerships and third parties should focus on the following actionable items:

  1. Review and Update Disaster Recovery Plans: Ensure that disaster recovery plans are robust and account for potential ransomware attacks.
  2. Obtain a Letter of Attestation from CDK: Before resuming access, secure a letter of attestation from CDK confirming the resolution of the attack.
  3. Notify Affected Customers: If customer data was compromised, promptly notify the affected individuals and provide them with the necessary information and support.

By taking these steps, and educating staffers to understand and guard against phishing techniques, businesses can better prepare for and mitigate the impacts of future cyberattacks.

author avatar
Jessica Gonzalez Director of Lending Strategies
With more than 15 years’ experience in the financial services industry, including tenures at Santander Consumer USA and Visa, Jessica Gonzalez is now the VP of Customer Success, Lending at Informed.IQ.

New: American Banker - Sharing information = best defense against AI fraud