News ,

US CAR dealerships remain in the dark a week after software management provider CDK Global was hit by two cyberattacks and demands to pay a ransom believed to be in the multi-millions of dollars.

CDK Global, which has 15,000 dealers as clients in the US, six of them listed companies – including Lithia Motors, Group 1 Automotive and Auto Nation – reported two cyber-attacks on June 19.

It is unknown if CDK Global has responded to its attackers or has paid or plans to pay a ransom.

CDK said it has begun work to restore systems and that it expects the process to take “several days.”

“We are continuing to actively engage with our customers and provide them with alternate ways to conduct business,” CDK said in an emailed statement.

Meanwhile, dealers are resorting to the use of pencil and paper for some functions, including for service, where tickets were being handwritten with plans to follow up by email. 

“Parts is probably the hardest hit besides the actual accounting office,” said one dealer.

“In sales, we’re able to transact customers but are unable to stock in trades and auction purchases.”

CDK shut down most of its systems “out of an abundance of caution” for customers last Wednesday, said Automotive News quoting CDK spokesperson Lisa Finney. 

It restored some of its systems that afternoon, but another cyberattack later that evening prompted the company to take the systems offline once again, according to a letter sent to customers.

Dealers including Lithia, AutoNation, Group 1 and Asbury Automotive have told Automotive News that they are facing disruptions but took immediate steps to minimise the impact and continue to trade.

“Paying ransomware attackers is a controversial topic with both potential benefits and risks,” said Dave Barthmuss, a spokesperson for Upstream Security, a company that provides cloud-based cybersecurity protection for connected vehicles.

Some media outlets have reported the hacker was demanding tens of millions of dollars from CDK, and that CDK was planning to pay so it can restore services for more than 15,000 affected dealership customers.

CDK confirmed a ransom event but declined to offer further comment other than it is working with “leading third-party experts” to develop a recovery plan and has notified law enforcement. 

A Bloomberg report said the hack is linked to the BlackSuit ransomware operation, a group believed to be Russian and Eastern European hackers.

Speaking about ransom payments, Erik Nachbahr, president of cybersecurity services provider Helion Technologies told Automotive News that they weren’t unusual.

“Many companies have paid multi-million dollar ransoms to regain access to their systems,” Mr Nachbahr said.

He cited UnitedHealth Group that reportedly paid $US22 million ($A33m) in bitcoin in February to cyber attackers who shut down the health system’s hospitals and pharmacies for more than a week in February.

Casino operator Caesars paid a $US15 million ($A22.6m) ransom in 2023 to a group that infiltrated and disrupted its systems, according to news reports.

Cryptocurrency tracking firm Chainalysis said in a February report that cybercriminals in 2023 received $US1.1 billion ($A1.65b) in ransom payments worldwide.

In the retail automotive world, many dealers would likely pay the ransom because “our industry has generally not kept up with the latest cybersecurity best practices,” said Diana Lee, CEO of automotive marketing platform Constellation. 

“We have some of the brightest people in our industry, but innovation and change have been slow to auto,” she said.

Mr Nachbahr said companies consider paying a ransom if they can’t access critical data or otherwise recover it from backups. 

Sometimes, the computer system is disabled in such a way that it would be too time consuming to engineer a “complete disconnect, wipe and rebuild. If either situation happens, company executives may see very few choices.”

In those cases, paying a ransom “is about getting the system back online as quickly as possible,” he said. 

“Whether it’s restoring unrecoverable data or simply regaining access to the computer system, paying the attackers may be the only reasonable option. 

“It is apparent that the attackers have infiltrated CDK’s system to the degree that their backs are against the wall. Paying a ransom in a case like this will be the best option.”

But he cautioned that even paying a ransom can lead to more complications.

“After the system is brought back online, a deep verification will be needed to ensure the attackers are out of the system completely,” he said. 

“There have been instances where a ransom was paid and the system was brought online only to have a subsequent attack as the system was not properly secured after regaining control.”

Ransomware attackers also can copy and steal data and demand payment to not release it. Once a ransom is paid, there is no guarantee the attacker will delete the data.

By Neil Dowling

AdTorque Edge