CDK Global, a software firm serving car dealerships across the US that was roiled by a cyberattack last month, appears to have paid a $25 million ransom to the hackers, multiple sources familiar with the matter told CNN.
The company has declined to discuss the matter. Pinpointing exactly who sends a cryptocurrency payment can be complicated by the relative anonymity that some crypto services offer. But data on the blockchain that underpins cryptocurrency payments also tells its own story.
On June 21, about 387 bitcoin — then the equivalent of roughly $25 million — was sent to a cryptocurrency account controlled by hackers affiliated with a type of ransomware called BlackSuit, Chris Janczewski, head of global investigations at crypto-tracking firm TRM Labs, told CNN.
A week after the payment was made, CDK said that it was bringing car dealers back online to its software platform. Cryptocurrency allows for the exchange of digital assets outside of the traditional banking system, but a record of those transactions is accessible on the blockchain.
Janczewski did not identify who sent the payment, but three other sources closely tracking the incident confirmed that a roughly $25 million payment had been made to BlackSuit affiliates and that CDK was very likely the source of that payment. Those sources spoke on the condition of anonymity because of the sensitive nature of the investigation.
The cryptocurrency account that sent the ransom payment is affiliated with a firm that helps victims respond to ransom attacks, one of the sources said, declining to identify the firm.
CDK spokesperson Lisa Finney did not respond to multiple requests for comment on Wednesday and Thursday on the apparent payment. Finney previously declined to answer questions on the subject. CDK CEO Brian MacDonald did not respond to email and LinkedIn messages seeking comment.
The ransom payment of $25 million hasn’t been previously reported. Bloomberg reported that the hackers had made a multimillion-dollar ransom demand and that the company planned to pay.
The ransomware attack that hit CDK in mid-June disrupted thousands of auto dealerships that use the company’s software to manage everything from scheduling to sales and orders. CDK referred to it as a “cyber incident” in statements to reporters. In a note to clients cited by CBS, CDK referred to it as a “cyber ransom event.”
CDK said last week that “substantially all” of the nearly 15,000 car dealerships that use its software across North America were back online to its core management system.
Federal officials generally discourage paying a ransom to cybercriminals because payments can fuel future attacks. But some companies feel they have no choice but to pay off hackers to try to recover sensitive customer data or get their systems back online.
The payment would be a windfall for a relatively new brand of ransomware criminals that emerged last year and has claimed numerous victims in the education and construction sectors, among others. BlackSuit’s malicious software is similar to that previously used by other Russian-speaking criminal groups, according to the US Department of Health and Human Services.
“The gang’s leadership has been conducting ransomware extortion operations since 2019 under other ransomware brand names,” said Jon DiMaggio, chief security strategist at cybersecurity firm Analyst1 who closely studies ransomware gangs.
“This is one of many examples I have seen over the years where a group is either shut down by law enforcement or decides to terminate its operation to rebrand under a new name and continue attacking and extorting organizations,” DiMaggio told CNN, adding that most of BlackSuit’s victims have been in the US.
Cybercriminals, in general, extorted a record $1.1 billion in ransom payments from victim organizations around the world last year despite US government efforts to cut off their money flows, Chainalysis, another crypto-tracking firm, said in a report in February.
A $25 million ransom payment is certainly large but not unheard of in the lucrative ransomware economy. UnitedHealth Group, the health care conglomerate whose subsidiary suffered a ransomware attack in February that hobbled pharmacies across the US, paid a $22 million ransom to a different criminal group.
But the average ransom payment in the fourth quarter of 2023 was significantly lower: $568,705, according to cybersecurity firm Coveware.