Mercedes Dealership

Dealership system hackers seemingly identified as restorations begin

Credit: Mercedes-Benz

One analyst has seemingly identified the group of hackers responsible for cyberattacks that led to over 15,000 dealerships facing outages over the last six days.

Hacker group BlackSuit is thought to be behind the cyberattacks on the CDK auto dealership management system, according to cyber threat analyst Allan Liska with the security firm Recorded Future (via Automotive News). Reports last week said that the then-undisclosed hacker group demanded an extortion fee of tens of millions of dollars, and CDK is reportedly planning to pay the amount.

As of Monday, CDK wasn’t listed on BlackSuit’s online list of companies it’s actively extorting, suggesting that the parties could still be in negotiations—or that it’s already paid the ransom, according to Liska.

Tesla cybersecurity measures fail, hackers win Model 3 at hacking event

Over the weekend, Automotive News also reported that CDK had already started the restoration process for systems that were facing outages due to the cyberattacks, referring to the extortion fee as a “ransom” for the first time and saying it could take “several days and not weeks.”

“We anticipate the restoration process to take several days and not weeks for the major applications and ask for your continued support as we bring systems back online,” CDK wrote in correspondence with dealerships.

CDK is also working closely with law enforcement to fix the issue, as stated by company spokesperson Lisa Finney. BlackSuit is thought to be a group of Russian and Eastern European hackers, and is working with a group called Royal Ransomware tools, according to TrendMicro threat intelligence researcher Jon Clay.

According to the U.S. Cybersecurity and Infrastructure Agency, BlackSuit’s ransomware shares code with Royal Ransomware tools, which is known for sharing its suite of hacking tools in return for a cut of extortion payments.

CDK’s DMS is the most commonly used software for managing dealerships in the U.S. and Canada. The cyberattacks, which began on June 19, are thought to be affecting over half of the auto dealerships in the region, and has resulted in a return to hand-written service and sales tickets without the software.

What are your thoughts? Let me know at, find me on X at @zacharyvisconti, or send us tips at

Dealership system hackers seemingly identified as restorations begin
To Top