Car dealer software slinger CDK Global said to have paid $25M ransom after cyberattack

CDK Global reportedly paid a $25 million ransom in Bitcoin after its servers were knocked offline by crippling ransomware.

Last week, CDK restored services to car dealerships across the US after a two-week outage caused by a "cyber incident" that looked a lot like a ransomware infection. The shutdown of CDK's software platform caused chaos for up to 15,000 car dealerships, including the Asbury, AutoNation, Group 1, Lithia, and Sonic chains, stopping sales going through and registrations being filed in some states.

CDK hasn't yet disclosed how exactly it was able to get its business back online, but CNN cites sources who claim the software firm had to pay a ransom of $25 million to the ransomware's operators.

Crypto forensics firm TRM Labs meanwhile says it spotted the 387 Bitcoin transaction going into an account said to be controlled by criminals that deploy ransomware known as BlackSuit, the same group that hit Octapharma Plasma in April. The Bitcoins didn't come from CDK directly, and instead from a firm that specializes in dealing with cyber-ransom demands, it's claimed.

The ransom was actually paid just two days after the attack, we're told. That would suggest CDK perhaps coughed up, as claimed, straight away to persuade the extortionists to not leak any data stolen during the infection and to just back off, and that it subsequently took several days to rebuild and restore service. CDK may have been able to restore from backups and/or may have needed some information on computers encrypted by the ransomware, adding time to recovery. There are still a lot of unknowns.

It's generally a good idea to wipe or replace compromised machines, even if you've paid a ransom to decrypt and prevent the leak of any exfiltrated data, which will usually delay a restart of operations.

Nowadays, most ransomware victims don't pay their attackers, with just 29 percent having coughed up in Q4 last year. The miscreants who shook down CDK did relatively well for themselves, earning more than the outfit that extorted Change Healthcare for $22 million.

• Ransomware scum who hit Indonesian government apologizes, hands over encryption key
• Here's yet more ransomware using BitLocker against Microsoft's own users
• Ransomware crews investing in custom data stealing malware

Still, $25 million is apparently nothing to the industry-wide damages that this incident caused. Anderson Economic Group claims the total financial damage to dealers in the first two weeks of the shutdown is just over $600 million, or 24 times the ransom. And that may be underestimating the effects, since that figure doesn't include hard-to-quantify factors such as cost to reputation, peeved customers, and the legal ramifications of such an outage.

Plus, the entire situation still may not be resolved according to an 8-K filing by Sonic Automotive to America's financial watchdog, the SEC. "Other affected systems, including the CRM and certain functions of the DMS, remain offline as the company continues to investigate and test such systems," the dealer network said.

"Additionally, some third-party applications typically accessible through the affected systems also remain offline. The timing of restoration of full access to all affected Systems remains unclear."

CDK has so far declined to comment. ®