CDK Global Slow to Recover Operations Following Ransomware Attack
Date:
June 27, 2024
CDK Global announced it has restored access to main Dealer Management System (DMS) for a small number of car dealerships and hopes to add more dealerships and system functionality in the coming days more than a week after a ransomware attack led to a massive disruption.
“We have successfully brought a small initial test group of dealers live on the core DMS,” CRN reports a CDK spokesperson as saying.
“Once validation is completed, we will then begin phasing in other dealerships on the core DMS, accounting, parts, service, sales, [finance and insurance], user management and document management.”
CDK, who provides software-as-a-service for payroll, finance and other services to more than 15,000 auto dealerships, was forced to shut down most of its systems after suffering two cyberattacks on June 18th and 19th.
CRN further reports that CDK representatives have declined to comment on reports that the company was planning to make a ransom payment to the alleged attackers in the range of tens of millions of dollars in hopes it will speed recovery efforts.
Takeaway: The attack on CDK is illustrative of several challenging issues regarding how best to respond to and recover from successful ransomware attacks, especially when the attack has a blast radius that impacts relationships with business partners and customers.
First, there is the dilemma of whether to pay a ransom demand. The simple answer would seem to be that organizations should never pay a ransom demand, which would significantly diminish the financial incentives for these attacks.
In most circumstances that would be the logical approach, but it may not be the right approach for every organization, such as a hospital where lives are literally at stake.
Paying a ransom does not guarantee that the victim's data will be restored, as there are many cases where the data is corrupted during decryption. And statistically, most victims who pay a ransom demand are attacked again - often by the same threat actor - who demands a higher ransom payment knowing the victim is likely to pay.
As well, most ransomware attacks today also include the exfiltration of sensitive data for leverage to get a victim to pay, and attackers often ask for an additional ransom payment to assure the data is not leaked publicly.
Even if a victim organization pays the ransom demands, there is no guarantee that their stolen data will be secure or that the attackers will not simply make additional extortion demands, leak the data or sell it on the black market.
And paying a ransom does not address the root cause of the problem, which is the vulnerability of the victim's systems to ransomware attacks. Instead of paying the ransom, victims should focus on implementing preventative measures to protect their data from future attacks as well as focus on resilience measures to more quickly recover from a successful attack.
Halcyon recently published a study detailing the significant impact on businesses from ransomware and data extortion attacks over the past 24 months. According to the Ransomware and Data Extortion Business Risk Report (PDF), one-in-five (18%) suffered a ransomware infection 10 or more times in a 24-month period, one-in-five (18%) were infected 5-9 times, and 30% were infected 2-4 times.
Nearly two-thirds (60%) of respondents said that sensitive or regulated data was exfiltrated from their organization, with more than half (55%) reporting the attackers issued an additional ransom demand to protect the exfiltrated data. As well, 58% of victims reported that the loss of sensitive data put their organizations at additional risk of regulatory action and lawsuits.
The study also revealed a strong disconnect between perception and reality when it comes to prevention and resilience against ransomware and data extortion attacks.
Fully 88% of respondents indicated they were somewhat or very confident their organizations’ current security deployments could disrupt an attack before a ransomware payload is delivered, and 85% were somewhat or very confident their organizations could quickly resume regular operations following a successful attack.
Yet more than one-in-three (36%) were Infected 5 times or more over the two-year period. Furthermore, 62% of organizations hit by ransomware reported a major disruption in operations, with 38% saying operations were disrupted for at least two months to more than six months.
These findings clearly show that organizations are overly confident in their ability to defend against and quickly recover from ransomware attacks. And note, all of these victim organizations were running some combination of prevention tools (EPP, EDR, XDR) when they succumb to a ransomware attack.
59% of respondents indicated the total cost for remediation (incident response only) cost their organization more than $1 million. More than half (57%) said the attacks will have a negative impact long-term on their organization’s operations, competitiveness, profitability or overall viability.
For the organizations that opted to pay a ransom demand, the majority (78%) said the attackers failed to provide a valid decryption key or data was corrupted upon decryption. Of the organizations that have cyber insurance, two-in-five (39%) said their premiums increased significantly following a ransomware attack.
While most felt confident their current security deployments were adequate for both prevention and recovery, the study shows that the majority of attacks were nonetheless successful, leaving victim organizations struggling to get operations back up and running.
The full study is available here (PDF): Ransomware and Data Extortion Business Risk Report.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
