Cybersecurity Lessons Learned From the Recent CDK Car Dealership Ransomware Attack
On Wednesday, June 19, 2024, a ransomware attack launched by a hacking group called BlackSuit took down the operations of approximately 15,000 North American auto retailers. The hackers did not actually attack the individual car dealerships, but rather, they attacked a Software-as-a-Service (SaaS) provider named CDK. The CDK Dealer Management System software handled everything from sales quotes to financing to store profit tracking and employee compensation. Some customers could not get titles and many dealerships could not register cars unless they drove the paperwork to the DMV.
CDK actually experienced two cyberattacks. This is not uncommon: When one attacker is successful, other attackers begin to target the same organization. This is why it can be dangerous to pay the ransom to the cyberattackers without fixing the problem; paying a large sum does not mean your systems are now safe from the next cyberattack; quite the opposite. You are now the MAIN target for other cyberattackers.
According to a post (below) on social platform X, BlackSuit initially asked $10 million in ransom, but that number increased by $10 million each day until the group received the money — up to $50 million.
There is no official confirmation that CDK paid the ransom, but many experts think the company did.
About BlackSuit
BlackSuit is known for double extortion. This means the group exfiltrates the data before they encrypt it and lock up the system. They then demand a ransom to unlock the systems, and if you don’t pay, they threaten to release the exfiltrated stolen data to the dark web.
Just imagine how many credit reports, addresses, car registrations and other personal financial information they had access to, from over 15,000 car dealerships …
BlackSuit, which is made up of former member of the Conti and Royal hacking group, has also attacked some school districts as well as the Kansas City, Kansas Police Department.
OK, so what does this car dealer cyberattack have to do with the audiovisual industry?
About five years ago, Draper, a company that provides projection screens and other AV equipment, was hit with a ransomware attack that took about two weeks to recover. That news was covered by yours truly in this article, published on rAVe [PUBS] on July 15, 2019.
In that article, I listed the following lessons learned from the Draper ransomware attack:
- “ […] have an incident response plan in place, so all employees know exactly what to do, and what not to, in the event of a cyberattack.
- “ […] consider paying the ransom if you are infected with ransomware.[…] If you can’t confidently restore your systems back to normal within 24 hours, chances are that you will spend more money trying to fix your systems than the original ransom — not to mention the cost of lost business because your employees can’t process orders, answer emails, etc. “
These lessons still hold true five years later, but the big difference between the 2019 Draper ransomware attack and the CDK attack is the latter is a SaaS provider, and its cloud-based software was used by 15,000 separate locations for most of its operations. The 2019 Draper attack affected Draper and its dealers, but only for Draper product orders.
In the 2019 attack, no other AV product manufacturers were affected, and while projection screens are a long lead-time item that must be carefully coordinated with the building construction, a screen order that was delayed by two weeks would not affect, say, your rack builders, etc. A missing confidence monitor cart would not take out ALL of your quoting systems for weeks.
Now, consider how many AV integrators use cloud-based software in 2024, including
I am sure readers can think of other cloud-based tools they use to do their jobs, every day.
But Paul, some of the software is stored locally, and is only managed through the cloud, right?
Yes, internal voice in my head, you are correct. However, remember the 2021 rAVe article I wrote? In it, I warned readers that legitimate software downloads or updates could be used as an attack vector to distribute malware, just like the SolarWinds attack. So, local versions of the software are not always secure from attacks, but they may help to keep your business online if the cloud software provider gets hit by ransomware. Back up those servers daily.
The moral of the story is that if you have not done so already, now is the time to start thinking about an incident response plan, and/or business continuity plan, or other measures you will need to take if your company, or one of your software providers, gets hit with a SaaS ransomware attack.