The BlackSuit ransomware gang is responsible for the significant IT outage that has disrupted CDK Global and car dealerships across North America, according to multiple anonymous sources. These sources confirmed to BleepingComputer that CDK is currently negotiating with the ransomware gang to obtain a decryptor and prevent the release of stolen data.

While BleepingComputer is the first to identify BlackSuit as the attacker, Bloomberg previously reported that CDK is in negotiations with the threat actors. Following the initial attack, CDK shut down its IT systems and data centers to contain the spread, including its car dealership platform. Attempts to restore services on Wednesday led to a second cybersecurity incident, causing another complete shutdown.

CDK Global, a software-as-a-service (SaaS) provider, offers a platform used by car dealerships for various operations, including sales, financing, inventory, service, and back office functions. With the platform down, dealerships have resorted to using pen and paper, with car buyers unable to purchase or service vehicles due to the outage.

cars 1024x576 1

Prominent public car dealership companies, Penske Automotive Group and Sonic Automotive, also reported disruptions. Penske’s SEC filing mentioned the impact on its Premier Truck Group business, while Sonic Automotive noted that all its dealerships are operating with workaround solutions to minimize disruption.

In addition to the outage, CDK has warned that threat actors are impersonating CDK agents to gain unauthorized access to systems. BleepingComputer has contacted CDK for more information but has yet to receive a response.

The BlackSuit ransomware gang, which emerged in May 2023, is believed to be a rebrand of the Royal ransomware operation. Royal, considered a successor to the notorious Conti cybercrime syndicate, ceased using its original name after an attack on the City of Dallas, Texas. The FBI and CISA linked Royal and BlackSuit in a joint advisory, noting their similar tactics and coding overlaps. Since September 2022, the Royal ransomware gang has been linked to attacks on at least 350 organizations worldwide and over $275 million in ransom demands.