A ransomware attack targeting CDK Global, a software provider for the auto industry, resulted in a significant financial transaction two days after the incident. The attack, which disrupted services at approximately 15,000 car dealerships in the United States, led to a $25 million payment in cryptocurrency. This development has raised questions about cybersecurity measures in the automotive sector and the ongoing threat of ransomware attacks.
Payment Details Revealed
Blockchain intelligence firm TRM Labs identified a cryptocurrency wallet, likely controlled by the BlackSuit ransomware group, receiving 387 bitcoin (around $25 million) on June 21. Though TRM Labs provided solid evidence of this transaction, it’s not definitively proven that CDK Global made the payment. Representatives from CDK Global and its parent company, Brookfield Business Partners, have not commented on the possibility of a ransom payment.
If verified, this $25 million transaction would be the second-largest ransom payment on record, following a $40 million payment by CNA Financial Corp. in 2021. This year has already seen another large ransom payment of $22 million by UnitedHealth Group to resolve an attack on its Change Healthcare subsidiary, attributed to the defunct ALPHV ransomware operation.
Money Laundering Activity
After receiving the ransom, nearly $15 million was filtered through about 200 transactions, eventually dispersing to over 20 addresses across five different global exchanges. An additional $6 million was moved to more than 15 addresses across four exchanges. One of these wallets is linked to an active BlackSuit affiliate, which had previously received funds from other known BlackSuit and Wizard Spider victim payments. Wizard Spider is another cybercriminal group with ties to Russian cybercrime activities.
Comparing this to previous instances, the ransomware attack on CDK Global aligns with past trends of significant financial repercussions following cyberattacks. The scale of the ransom payment echoes historical attacks, such as the CNA Financial payment, indicating a continuing vulnerability in large-scale corporations to ransomware threats. Additionally, the use of complex money laundering techniques follows established patterns seen in previous cybercrime investigations.
The June attack led to widespread disruption across the U.S. auto dealerships, impacting at least six publicly traded auto dealership firms. Despite these disruptions, Brookfield Business Partners claimed that the incident would not materially affect its business operations. Under SEC regulations, companies must decide if a ransomware attack is material and disclose it within four days of that determination if it is.
The recent cyberattack on CDK Global underscores the ongoing risk of ransomware in critical industries like automotive software. Companies need to strengthen cybersecurity defenses to mitigate such risks and avoid significant operational and financial impacts. The complexity of money laundering activities associated with these payments highlights the technical sophistication of ransomware groups. This situation serves as a reminder for organizations to remain vigilant and proactive in cybersecurity efforts.
