CDK Global Allegedly Paid $25 Million Ransom in Bitcoin Following Ransomware Attack
CDK Global reportedly paid a $25 million ransom in Bitcoin to regain access to its servers after a debilitating ransomware attack.
Last week, CDK successfully restored services to car dealerships across the United States after a two-week outage caused by a “cyber incident,” which appeared to be a ransomware infection. The disruption affected up to 15,000 car dealerships, including major chains like Asbury, AutoNation, Group 1, Lithia, and Sonic, halting sales and registration processes in several states.
While CDK has not officially disclosed how it managed to bring its systems back online, CNN reports that sources claim the company paid a $25 million ransom to the ransomware operators.
According to crypto forensics firm TRM Labs, a transaction of 387 Bitcoin was tracked to an account allegedly controlled by cybercriminals who deploy the BlackSuit ransomware, the same group responsible for an attack on Octapharma Plasma in April. It is believed that the Bitcoin payment did not come directly from CDK but from a company that specializes in handling cyber-ransom demands.
Reports suggest that the ransom was paid just two days after the attack, indicating that CDK might have quickly agreed to pay in exchange for assurances that the attackers would not leak any stolen data and would cease their activities. Despite paying the ransom, it took several days for CDK to rebuild and restore its services, possibly due to the need to restore from backups and retrieve information from systems encrypted by the ransomware.
There are still many unknowns about the incident, including the exact details of CDK’s recovery process. It is generally advised to wipe or replace compromised machines even after paying a ransom, as this can delay the resumption of operations.
Most ransomware victims nowadays choose not to pay their attackers, with only 29 percent paying in the last quarter of the previous year. However, the criminals who targeted CDK managed to extort a significant amount, more than those who targeted Change Healthcare for $22 million.
The $25 million ransom is minimal compared to the industry-wide damages caused by the incident. According to Anderson Economic Group, the financial damage to dealerships during the first two weeks of the shutdown is estimated at over $600 million, or 24 times the ransom amount. This figure likely underestimates the full impact, as it does not account for factors like reputational damage, customer dissatisfaction, and potential legal consequences.
The situation remains unresolved, according to an 8-K filing by Sonic Automotive with the SEC. The filing indicates that some systems, including the CRM and certain functions of the DMS, are still offline as the company continues its investigation and testing. Additionally, several third-party applications accessible through the affected systems also remain offline, with no clear timeline for full restoration.