BlackSuit ransomware linked to auto dealers' outages

• Even after operations return to normal, CDK will have to investigate what data was stolen, how the attack happened and what impacts this has had on its customers.

Driving the news: Several major U.S. auto dealers have had to turn to pen and paper over the last week to close new car sales, manage auto repairs and conduct other business following a cyberattack.

• CDK attempted to restore its systems on Wednesday but was hit with a second cyberattack, causing them to shut down all systems again.

Zoom in: Allan Liska, a ransomware analyst at Recorded Future, told Axios on Monday that he's seen the CDK attack attributed to BlackSuit in hacker forums and private chat channels.

• Malicious cybercriminal gangs are known to brag to one another about their ongoing schemes in these online sites.
• BleepingComputer first reported BlackSuit's ties to the attack.

Between the lines: The full impact of the CDK outages is still being pieced together.

• AutoNation, Group 1 Automotive, Penske Automotive Group, Sonic Automotive and Lithia Motors have each filed reports in the last few days with the Securities and Exchange Commission saying their services have been disrupted.

Reality check: As of Monday afternoon, CDK Global is not yet listed on the BlackSuit gang's dark web site, where the group would publicly list its victims to shame them into paying a hefty ransom.

• This could mean that CDK is still negotiating with BlackSuit to receive a decryption key and prevent a leak of stolen data.
• Bloomberg reported over the weekend that the hackers were asking for a ransom in the tens of millions of dollars.
• A CDK spokesperson declined to comment Monday on the BlackSuit attribution.

The big picture: BlackSuit is known to target U.S. companies in various critical infrastructure sectors.

• Most recently, BlackSuit leaked information stolen in an attack on the Kansas City Police department.

Go deeper: How one cyberattack causes relentless ripple effects