Key Points:
- Cyberattack disrupts operations at U.S. auto dealerships.
- BlackSuit, a new group, is believed to be a spinoff of RoyalLocker.
- BlackSuit has breached at least 95 organizations, primarily in the U.S.
- Provides infrastructure and extortion support to smaller cybercriminal groups.
A recent cyberattack on software maker CDK Global has significantly disrupted operations at auto dealerships across the United States. This incident is part of a growing trend where ransom-demanding cybercriminals target major companies by infiltrating their software suppliers. According to local press reports, CDK Global, which provides software commonly used by car dealerships to process sales and other transactions, has forced many dealers to revert to manual processing methods due to the hack.
BlackSuit is a relatively new cybercriminal group that emerged in May 2023. Analysts believe it is a spinoff from the older, well-known Russia-linked hacking group named RoyalLocker. RoyalLocker was known for hacking American companies and was a significant player in the cybercrime world, following closely behind other prominent groups such as LockBit and ALPHV.
Despite its origins, BlackSuit has not been as aggressive as its predecessors. According to Kimberly Goody, head of cybercrime analysis at Mandiant Intelligence, the number of victims listed on BlackSuit’s data leak site suggests it does not have as many hacking partners as larger ransomware gangs. “The majority of BlackSuit victims have been overwhelmingly based in the U.S., followed by the U.K. and Canada and span a wide range of sectors,” said Goody.
Security firm Recorded Future reports that BlackSuit has breached at least 95 organizations globally. However, the real number of victims is likely much higher. Most of these victims are American organizations operating in sectors such as industrial goods and education, according to a blog post by security firm ReliaQuest last month. “We have seen Russian-speaking threat actors affiliated with BlackSuit soliciting partnerships in underground forums to provide access to companies, as recently as last week,” Goody added.
BlackSuit is known for employing “double extortion” tactics. It means the group not only steals sensitive data from victim organizations and locks their systems but also threatens to leak the information if their demands are not met. Mandiant’s Goody explained that BlackSuit had provided hacking infrastructure to smaller partner groups, known as “affiliates,” and offered extortion-related support. It includes resources to harass victims or take down their websites to increase pressure for payment.
