Published on: July 3, 2024
A relatively new cybercriminal group called BlackSuit appears responsible for hacking into software supplied by CDK Group, which car dealerships use to process car sales and other transactions. The ransomware attack on June 19 disrupted operations at 15,000 car dealerships across the US, forcing many to fill out financing applications manually and delaying the final sale of potentially thousands of cars.
BlackSuit is a spin-off of the notorious Russian ransomware group RoyalLocker, according to cybersecurity analysts. BlackSuit emerged only in May 2023 and has already been responsible for at least 95 ransomware attacks.
“The real number of BlackSuit victims is likely much higher [than 95],” said cybersecurity firm Recorded Future.
Unlike other Russian prominent cybercriminal groups, BlackSuit is believed to focus most of its attacks on English-speaking countries.
“The majority of BlackSuit victims have been overwhelmingly based in the US, followed by the UK and Canada and span a wide range of sectors,” reported Kimberly Goody, head of cybercrime analysis at Mandiant Intelligence.
ReliaQuest, another security firm, said most of BlackSuit’s targets have been American and have been aimed largely at industrial companies and the education sector.
BlackSuit’s method of operation is to carry out “double extortion,” which entails stealing a target’s sensitive data, locking up its IT systems, and threatening to leak the stolen data unless the victim pays a ransom, usually within a tight deadline. This is what apparently happened to CDK Group in June.
An analysis by several security firms suggests BlackSuit is preparing to expand its operations.
“We have seen Russian-speaking threat actors affiliated with BlackSuit soliciting partnerships in underground forums to provide access to companies, as recently as last week,” said Goody at Mandiant.
BlackSuit has also been supplying hacking infrastructure and other technical assistance to its new-found criminal affiliates.