With over 350 attacks and $275M in ransom demands the notorious BlackSuit ransomware a rebrand of the Royal operation has set its sights on CDK Global

Continue reading
Recent developments have disclosed that CDK Global have relentlessly suffered cyberattacks, crippling operations for 15,000+ car dealerships across North America. This has now been attributed to a full-fledged ransomware attack orchestrated by the Blacksuit gang.
This follow up analysis explores the critical nuances of this sophisticatedly orchestrated ransomware attack, its implications, and mitigation strategies amidst ongoing negotiations and operational impacts.
The BlackSuit ransomware attack on CDK Global targeted their SaaS platform crucial for managing car dealership operations, including sales, inventory, and customer management. The attack forced CDK to shut down its IT systems twice, initially to contain the attack and later due to a subsequent breach during restoration efforts.
BlackSuit, a successor to the notorious Conti group, leveraged sophisticated tactics to encrypt CDK's systems, demanding ransom for decryption keys and threatening data exposure. Negotiations for a decryptor are underway, highlighting the severity and complexity of the incident.
import cryptography
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
# Encrypting data with AES-GCM
def encrypt_data(data, key):
cipher = cryptography.hazmat.primitives.ciphers.aead.AESGCM(key)
nonce = cryptography.Random.get_random_bytes(12)
ciphertext = cipher.encrypt(nonce, data, None)
return ciphertext, nonce
# sample usage
data_to_encrypt = b"Sensitive data"
encryption_key = cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC(
algorithm=hashes.SHA256(),
salt=b"salt",
iterations=100000,
length=32,
backend=default_backend()
).derive(b"password")
encrypted_data, nonce = encrypt_data(data_to_encrypt, encryption_key)The attack severely impacted car dealership operations, forcing reliance on manual processes and disrupting sales, service, and parts management. Major companies like Penske Automotive Group and Sonic Automotive reported operational challenges due to CDK’s outage.
CDK is actively negotiating with BlackSuit for a decryptor while engaging third-party cybersecurity experts to restore services securely. However, concerns persist regarding the security posture during the recovery phase.
import requests
# Fetching threat intelligence data
def fetch_threat_intelligence(api_key):
url = "https://api.threatintelhub.com/threats"
headers = {"Authorization": f"Bearer {api_key}"}
response = requests.get(url, headers=headers)
return response.json()
api_key = "your_api_key"
threat_data = fetch_threat_intelligence(api_key)Following its launch in May 2023, BlackSuit has emerged as a rebranded iteration of the infamous Royal ransomware operation, believed to be the direct successor of the Conti cybercrime syndicate.
Originating from Russian and Eastern European threat actors, Royal Ransomware transitioned to BlackSuit after testing its new encryptor amidst controversy surrounding attacks on the City of Dallas, Texas.
The shift from Royal to BlackSuit coincided with a noticeable cessation of Royal-named attacks, with the FBI and CISA later confirming the overlap in tactics and coding between the two entities.
Their joint advisory further underscored Royal's extensive global impact, targeting over 350 organizations since September 2022 and amassing ransom demands exceeding $275 million.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.