In a major development, it has been revealed that the BlackSuit ransomware gang is responsible for the significant IT outage that has disrupted car dealerships across North America. Multiple sources, speaking on the condition of anonymity, have confirmed this information to BleepingComputer.

CDK Global, a software-as-a-service (SaaS) provider whose platform is crucial for car dealerships to manage their operations, is currently engaged in negotiations with the ransomware gang. The talks aim to secure a decryptor and prevent the leak of any stolen data.

Bloomberg first reported yesterday that CDK was in discussions with the threat actors, following the cyberattack that forced CDK to shut down its IT systems and data centers, including its car dealership platform. While the company attempted to restore services on Wednesday, a second cybersecurity incident occurred, leading to a complete shutdown of all IT systems.

As a result, car dealerships have been forced to resort to pen and paper to carry out their daily operations. Frustrated car buyers have reported being unable to purchase vehicles or receive service for their existing cars due to the outage. Even two of the largest public car dealership companies, Penske Automotive Group and Sonic Automotive, have confirmed that they were impacted by the outages.

Penske Automotive Group disclosed in an SEC filing that its Premier Truck Group business, which relies on CDK's dealer management system, experienced disruptions. They have implemented business continuity response plans and are operating through manual or alternative processes. Sonic Automotive also reported disruptions to its dealer management system, impacting critical dealership operations. The company is working around the outage to minimize disruption.

CDK Global has warned that threat actors are attempting to gain unauthorized access to dealership systems by calling dealerships and impersonating CDK agents or affiliates.

BlackSuit, which emerged in May 2023, is believed to be a rebrand of the Royal ransomware operation. The Royal Ransomware group, and subsequently BlackSuit, is suspected to be the successor of the infamous Conti cybercrime syndicate, known for its Russian and Eastern European threat actors.

Recently, the FBI and CISA released a joint advisory connecting the Royal and BlackSuit ransomware gangs. The advisory revealed that the groups share similar tactics and coding overlaps in their encryptors. The Royal gang has been linked to attacks on over 350 organizations worldwide since September 2022, with ransom demands exceeding $275 million.

BleepingComputer reached out to CDK for more information regarding the ransomware attack, but has yet to receive a response.

The situation remains ongoing, with CDK Global navigating negotiations with the BlackSuit ransomware gang to restore services and ensure the security of their systems and data. Car dealerships, meanwhile, continue to grapple with the disruption caused by the IT outage, utilizing workaround solutions to keep their operations running as smoothly as possible.