Ransomware, MSSP, Vertical markets, Cloud Security

CDK Attack: How to Improve Auto Dealership Resiliency


Automotive dealerships have been crippled in recent weeks by a disruption due to a ransomware attack on CDK, a Software-as-a-Service (SaaS) provider that provides an ERP-like dealer management platform.

As CDK works to restore systems used by more than 15,000 retail locations across North America, the company advised that the return of the dealer management system will require several days if not weeks, according to a press statement from Group One Automotive, which owns 202 dealerships in the U.S. and U.K.

CDK’s SaaS platform runs all aspects of a dealership’s operations, including sales, financing, inventory, service and back-office functions. The disruption is forcing pen-and-paper transactions at dealerships. U-Haul and Penske, two commercial vehicle rental giants, are among those impacted.

Meanwhile, Asbury Automotive Group, one of America’s largest car retailers and service providers, warned investors this week that the CDK outage has hurt its business, and it’s unclear when it will end. 

Auto Dealer Vertical Market a Speciality for MSPs and MSSPs

MSSPs and MSPs often provide IT and cybersecurity services to auto dealerships that outsource those services to focus on their core businesses. MSSP Alert reached out to one MSSP to get an inside track about how auto dealerships operate, how important CDK is in the auto dealership market, and what MSSPs can do to advise their auto dealership customers about how to improve their readiness for cybersecurity incidents.

MSSP Blackswan Cybersecurity CEO Mike Saylor built a vertical market specialty for his company with automotive dealerships. Here’s the advice he said he would give to customers and potential customers in the auto dealer market who may be concerned about experiencing a cybersecurity incident like the one caused by the CDK ransomware attack.

  • First, he would do a risk assessment. Such an assessment would provide a gap analysis about what services are already in place and what cybersecurity vulnerabilities need to be remediated.
  • Saylor would also assess who is in charge of security at the dealership, how much attention they are giving to cybersecurity and assess their skill set to provide the services needed at the business.
  • In addition, the assessment should examine the auto dealership’s vendors — the ones the company relies on for their critical processes — the ones like CDK. Are there back-ups in place for if and when something goes wrong with ay critical process vendors? For instance, in the case of CDK, what contingency plans had auto dealer customers put in place for a failure of that vendor?
  • Advise the customer that an MSSP can help them with table top exercises. They need to create a plan for when a critical vendor fails, and they need to practice that plan. That’s what creates cyber resiliency.

Royal Ransomware Rebranding as BlackSuit?

The BlackSuit ransomware group is believed to be the new name for the group known as Royal Ransomware, which was behind the CDK incident, BleepingComputer reported. BlackSuit is reportedly dangling a ransomware decryptor in exchange for currency and the promise of not exposing any company data.

Two of the largest public car dealership companies, Penske Automotive Group and Sonic Automotive, disclosed yesterday that they, too, were impacted by the outages.

Saylor believes the threat actor truly understood what they had access to.

“They became very familiar with CDK as a company, their financials, their business model, whether or not they could recover from a ransomware infection,” he said. “Then they decided, they strategized on how best to attack and infect them. They did so in a very effective way. And now CDK is at the point where they're probably going to pay the ransom in an effort to try and get their operations back as soon as possible.”

Saylor speculates the ransom is probably between $50 million and $60 million, however, there are currently no confirmations of the actual ransom.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.