July 21, 2024
Industry News

Identifying the ‘BlackSuit’ hackers responsible for the CDK cyberattack targeting U.S. car dealers

SAN FRANCISCO — An intrusion into CDK Global’s software systems has caused disruptions at car dealerships throughout the United States. This incident is part of a disturbing trend where ransom-seeking cybercriminals target major companies by exploiting vulnerabilities in their software suppliers.

CDK Global develops software that is vital for processing sales and other transactions at car dealerships. Following the breach, many dealerships have resorted to manual transaction processing, as reported by local media outlets.

Below, we delve deeper into BlackSuit, the hacking group believed to be responsible for the CDK Global breach:

Who/What is BlackSuit?

Although little is known about BlackSuit, it first emerged in May 2023. Analysts suggest that this cybercriminal group is a relatively new offshoot of RoyalLocker, a well-known hacking group with ties to Russia.

While RoyalLocker focused primarily on American targets and was considered a significant threat, BlackSuit appears to be less aggressive. According to Kimberly Goody, the head of cybercrime analysis at Mandiant Intelligence, the number of victims listed on BlackSuit’s data leak site implies that it may not have as extensive a network of hacking partners as other ransomware gangs.

“The majority of BlackSuit victims have been overwhelmingly based in the U.S., followed by the U.K. and Canada and span a wide range of sectors,” noted Goody.

How many organizations has BlackSuit targeted?

Recorded Future, a security firm, has identified at least 95 organizations globally that have fallen victim to BlackSuit’s attacks. However, the true number of victims is likely higher, according to the firm.

Most of these organizations were based in the United States and operated in industries such as industrial goods and education, as reported by ReliaQuest, another security firm.

“We have seen Russian-speaking threat actors affiliated with BlackSuit soliciting partnerships in underground forums to provide access to companies, as recently as last week,” added Goody.

What is BlackSuit’s modus operandi?

BlackSuit is known for engaging in “double extortion,” a tactic where it not only encrypts a victim organization’s systems but also steals sensitive data and threatens to leak it if a ransom is not paid.

Goody from Mandiant explained that BlackSuit provides hacking infrastructure to smaller cybercriminal groups known as “affiliates,” offering support for extortion-related activities. This includes resources for pressuring victims into paying ransoms, such as launching DDoS attacks against their websites.



How does BlackSuit compare to other ransomware groups?

While BlackSuit is relatively new and less aggressive than some of its counterparts, its tactics of double extortion make it a serious threat to organizations worldwide.


The breach at CDK Global and the activities of BlackSuit highlight the ongoing challenges posed by ransomware attacks in today’s digital landscape. It is crucial for organizations to enhance their cybersecurity measures to protect against such threats and safeguard their sensitive data.

Leave a Reply

Your email address will not be published. Required fields are marked *