CDK Global Resolved the Auto Dealer Outage by Reportedly Paying a $25 Million Ransom

According to sources familiar with the matter, CDK Global, a software company backing car dealerships across the U.S., seems to have paid a $25 million ransom to resolve the cyberattack last month.

The company has remained tight-lipped about the situation, identifying the sender of a cryptocurrency payment is often difficult due to the anonymity provided by many crypto platforms. However, the blockchain, which records all cryptocurrency transactions, can still reveal a lot of detail.

On June 21, hackers linked to the BlackSuit ransomware received a cryptocurrency payment of around 387 bitcoins, valued at roughly $25 million. CNN received this information provided by Chris Janczewski, head of global investigations at TRM Labs, a crypto-tracking firm.

CDK reported that its car dealership software platform was back online a week after the ransom payment. Although cryptocurrency transactions bypass traditional banking systems, they are recorded on the blockchain, making them traceable.

While Janczewski didn’t specify who made the payment, three other sources tracking the incident verified that around $25 million was transferred to BlackSuit affiliates. These sources, requesting anonymity due to the probe’s sensitive nature, indicated that CDK was most likely the origin of the payment.

The source declined to disclose the name of the firm linked with the cryptocurrency account that facilitated the ransom payment, which assists victims in dealing with ransom attacks.

Lisa Finney, a spokesperson from CDK did not respond to CNN’s several questions for comments regarding the reported payment on Wednesday and Thursday. CDK CEO Brian MacDonald also did not reply to emails or LinkedIn messages requesting a statement.

In June, around 15,000 car dealerships nationwide were forced to simplify operations to keep their businesses running smoothly due to the system outage described by CDK as a “cyber incident” in statements to the media. According to CBS, CDK referred to the event in a note to clients as a “cyber ransom event.”

Last week, CDK announced that its core management system had been restored online.

Government authorities typically advise against ransom payments to cybercriminals, due to concerns that such actions could encourage further attacks. However, certain organizations find themselves compelled to comply with hackers’ demands in an attempt to regain access to critical customer information or restore their operational systems.

The payment would be a windfall for a relatively new brand of ransomware criminals that emerged last year and has claimed numerous victims in the education and construction sectors, among others. BlackSuit’s malicious software is similar to that previously used by other Russian-speaking criminal groups, according to the U.S. Department of Health and Human Services.

Jon DiMaggio, chief security strategist at cybersecurity firm Analyst1 who closely studies ransomware gangs, said, “The gang’s leadership has been conducting ransomware extortion operations since 2019 under other ransomware brand names.”

DiMaggio said, “This is one of many examples I have seen over the years where a group is either shut down by law enforcement or decides to terminate its operation to rebrand under a new name and continue attacking and extorting organizations.”