‘BlackSuit’ Hacker Hits CDK Global, US Car Dealers

The newest ransomware attack by ‘BlackSuit’ hackers on CDK Global, a software company, impacted auto dealership operations nationwide

CDK produces software frequently employed by automobile dealerships to manage sales and other transactions. Local press has reported that numerous dealers have begun manually processing transactions in response to the breach.

The following is additional information regarding BlackSuit, the cyber group that analysts believe is responsible for the CDK hack:

WHO/WHAT IS BLACKSUIT?

The group was established in May 2023, but more information is needed. According to analysts, it is a relatively new cybercriminal organization that has emerged from an older and well-known malware group affiliated with Russia RoyalLocker.

RoyalLocker was a formidable hacker organization primarily responsible for hacking American companies. It was an offshoot of another prolific gang, Conti. Analysts believe Royal was the third most persistent ransomware group, following LockBit and ALPHV.

However, BlackSuit is less aggressive than the others. According to Kimberly Goody, the director of cybercrime analysis at Mandiant Intelligence, the number of victims listed on its data leak site indicates that it does not have as many hacking partners as larger ransomware organizations.

“The U.S. has been the primary location for most BlackSuit victims, with the U.K. and Canada following closely behind. These victims have been located in a diverse array of sectors,” she stated.

HOW MANY ORGANIZATIONS HAS BLACKSUIT HACKED?

According to the security firm Recorded Future, it has infiltrated at least 95 organizations worldwide.

The firm stated in an email that the number of BlackSuit victims is likely significantly greater.

According to a blog published by the security firm ReliaQuest last month, most of these organizations were American and focused on sectors such as education and industrial products.

“As recently as last week, we have observed Russian-speaking threat actors affiliated with BlackSuit soliciting partnerships in underground forums to provide access to companies,” claimed Goody.

HOW DOES A BLACK FUNCTION?

BlackSuit is recognized for its ability to engage in “double extortion,” which involves the theft of sensitive data from a victim organization, the locking of its systems, and the threat of information leakage.

According to Goody of Mandiant, BlackSuit had made hacking infrastructure available to other smaller partner organizations of cyber criminals, referred to as “affiliates.”

BlackSuit offered its associates assistance with extortion, such as the provision of resources to harass victims or undermine their websites to induce them to pay.