CDK Global, a major provider of software solutions for car dealerships, reportedly paid a $25 million ransom in Bitcoin after its servers were crippled by a ransomware attack.
Last week, CDK restored services to car dealerships across the United States following a two-week outage caused by what appeared to be a ransomware infection. This shutdown affected up to 15,000 car dealerships, including major chains like Asbury, AutoNation, Group 1, Lithia, and Sonic, disrupting sales and registrations in some states.
CDK has not disclosed how it managed to resume operations, but CNN cites sources claiming the software firm paid a $25 million ransom to the ransomware operators. According to crypto forensics firm TRM Labs, a transaction of 387 Bitcoin was sent to an account linked to the ransomware group known as BlackSuit, which also targeted Octapharma Plasma in April. The payment did not come directly from CDK but from a firm specializing in handling cyber-ransom demands.
The ransom was reportedly paid just two days after the attack, suggesting CDK acted quickly to prevent the leakage of stolen data and to expedite recovery. Despite this, it took several days to rebuild and restore services, potentially due to the need to restore from backups or decrypt information on compromised machines.
Generally, compromised machines should be wiped or replaced, even if a ransom is paid, to ensure complete security, which can delay the resumption of operations.
Despite the increasing trend of ransomware victims not paying attackers—only 29 per cent paid in Q4 last year—the attackers who targeted CDK succeeded in extracting a significant sum, surpassing the $22 million ransom paid by Change Healthcare.
However, the $25 million ransom is minor compared to the estimated industry-wide damages caused by the incident. The Anderson Economic Group estimates the total financial damage to dealers during the first two weeks of the shutdown at over $600 million, 24 times the ransom amount. This estimate excludes harder-to-quantify factors like reputational damage, customer dissatisfaction, and legal consequences.
The situation may still be unresolved, according to an 8-K filing by Sonic Automotive to the SEC. "Other affected systems, including the CRM and certain functions of the DMS, remain offline as the company continues to investigate and test such systems," the dealer network stated. "Additionally, some third-party applications typically accessible through the affected systems also remain offline. The timing of restoration of full access to all affected systems remains unclear."
