CDK Global: When a SaaS Vendor Is the Industry
Threat Intelligence
CDK's June 2024 ransomware took 15,000 US auto dealerships offline. The story is about sector-wide SaaS dependency, not about the ransomware itself.
By Arjun Raghavan, Security & Systems Lead, BIPI · May 16, 2024 · 9 min read
On June 19, 2024, CDK Global, the dealer management system provider used by roughly 15,000 US auto dealerships, took its core platforms offline after a ransomware attack. A second incident followed on June 20 while CDK was bringing systems back online. Recovery stretched through late June and into early July. For the better part of two weeks, US auto dealers reverted to paper-based sales processes, lost the ability to access service histories, and could not pull credit applications or finalize financing through CDK's connected systems. BlackSuit, the ransomware brand that emerged from Royal, was attributed by multiple outlets.
Timeline
June 19: CDK detects ransomware and pulls platforms offline. Most dealer customers wake up to closed CDK portals. June 20: A second incident hits while CDK is restoring service, extending the outage. Late June: CDK reportedly negotiates and pays a ransom in the tens of millions to BlackSuit. Restoration begins in a phased rollout to small groups of dealers. Early July: Most dealers are back online, but data backlog reconciliation continues for weeks. Sector financial impact estimates range from $600M to over $1B in lost sales, late vehicle deliveries, and operational costs across affected dealers.
Root cause: undisclosed, but the bigger root cause is structural
CDK has not published a public post-mortem. What is publicly known is that the attacker had sufficient access to detonate ransomware against CDK's dealer-facing infrastructure. The interesting root cause is not the access vector. It is that an entire sector runs on one platform. CDK and Reynolds and Reynolds together hold something like 70 to 75 percent of US dealer management system market share. When CDK was unavailable, there was no failover. Dealers could not switch to a competitor for two weeks; they reverted to paper.
Attacker actions
BlackSuit's general 2024 playbook involves initial access via phishing, RDP, or known CVEs, followed by Cobalt Strike for lateral movement, mass file enumeration, exfiltration to MEGA or attacker-controlled S3, and encryption with their fork of the Royal codebase. The double-extortion phase typically includes a dark-web leak site listing the victim. CDK ultimately did not appear on the BlackSuit leak site, which is consistent with public reporting that a ransom was paid. The amount, widely reported as $25 million in Bitcoin, was paid through an intermediary.
Detection
Detection visibility from outside CDK is poor. From the dealer perspective, the first detection was 'we cannot log into CDK', which is the worst kind of incident notification. CDK's communication during the incident was criticized by dealers as slow and vague, which is a common pattern when a SaaS vendor is mid-fire. The dealer-side lesson is to invest in operational fallback playbooks before you need them, because vendor communications during a ransomware event will not be sufficient for your operational decisions.
Lessons
First, sector-concentration risk is now a board-level question for industries that have consolidated onto small vendor sets. Auto retail is one such sector. Healthcare claims clearing is another, as Change Healthcare illustrated four months earlier. Logistics, payments, and grocery wholesale all have similar shapes. The concentration is a function of network effects and switching costs; it will not unwind because of one bad incident, but it should be priced into operational risk planning at the dealer and franchisee level.
Second, the regulatory response is coming. The SEC's cybersecurity disclosure rule applies to publicly traded operators, not necessarily to private dealer groups, but vendor SLAs and incident notification requirements will tighten across the sector over the next year. Dealers writing contracts with CDK or Reynolds today should be pushing for explicit notification timelines, data restoration commitments, and credit for downtime, not because lawyers say so but because the only leverage they have to drive better security at the vendor is contractual.
The BIPI take
CDK is the cleanest 2024 example of a SaaS vendor whose downtime is the industry's downtime. The defensive answer for dealers is not to switch vendors; in many cases there is no realistic alternative. The answer is to build operational independence at the manual-process layer, audit your business interruption coverage, and pay attention to vendor security disclosures the way you pay attention to your own. If your DMS, EHR, or clearinghouse is your industry's chokepoint, your continuity plan must treat it as one.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.