While most Chicagoans were busy enjoying the start of summer, a high-stakes hostage drama played out at a company with deep roots in suburban Hoffman Estates — and in car dealerships from coast to coast.
CDK Global, a key supplier of specialized software systems for vehicle sales and service, fell victim to a brutally effective cyberattack. The programs that many car dealers use to manage inventory, chalk up sales, register new vehicles and perform countless other essential functions were abruptly shut down.
Beginning in mid-June, hackers affiliated with a Russia-based criminal operation called BlackSuit reportedly took over the company’s systems and demanded tens of millions of dollars to relinquish control. The cyberattack went on for days before CDK could even start to restore its service.
In the meantime, car dealers have had to scramble, resorting to paper and pen to record vehicle orders by hand and relying on workarounds for everything from insurance and financing to service and repairs. The disruption resulted in long delays and lost orders. It will leave behind a monumental recordkeeping mess, and there’s no telling when all the lingering issues will be fully resolved.
Confidence in CDK has been shaken. An investment partnership paid a rich $8.3 billion to acquire the company in 2022, and no doubt its value has taken a hit. Bloomberg reported that CDK was planning to pay a fortune in ransom to the hackers, and aggrieved customers have filed the inevitable lawsuits for exposing their personal data. It’s hard to imagine the chaos that must have descended on the company when its systems froze.
Thankfully, CDK said dealers would get full restoration of its systems as of July 4, making this year quite the Independence Day indeed for the auto industry. But damage to the industry in dollar terms is estimated to be around $800 million.
Unfortunately, CDK is not alone. The same group said to be responsible for the CDK attack has been tied to nearly 100 other extortion efforts since May 2023, Bloomberg reported, and very likely has committed dozens more. It’s hard to keep track because a company that pays out a ransom, appeasing and encouraging the criminals, understandably tries to keep that fact under wraps to avoid becoming a serial target.
Every one of these attacks is an outrage, disrupting commerce, threatening the prospects of otherwise healthy organizations and requiring lavish investments to harden systems against hacking. It’s unconscionable that important players in the global economy are being held hostage and forced to choose between saving their businesses and paying off thieves.
What to do? Law enforcement has a game plan for dealing with these destructive crooks that, ironically, it previewed just weeks before the disaster at CDK.
In early May, the U.S. Justice Department unsealed charges against a Russian national accused of masterminding LockBit, a prolific ransomware group that has targeted more than 2,500 victims worldwide and extracted $500 million in ransom payments, the feds alleged.
Their 26-count indictment accuses Dmitry Khoroshev, a 31-year-old from the Russian city of Voronezh, of developing the software that he and other hackers then used in extortion attempts against schools and hospitals, as well as deep-pocketed companies.
Khoroshev allegedly received at least $100 million in digital currency as his share of ransom payments, the feds claimed. Five other alleged LockBit members also have been charged, including two in custody as of May. As always, those accused in criminal indictments are presumed innocent unless proven otherwise.
Taking down secretive, high-stakes hackers requires more than just announcing charges, and prosecutors went all-out to show how much they’ve learned about nailing cyber-no-goodniks.
Authorities revealed, for instance, that they had developed encryption keys that could be used to defuse any future attacks based on LockBit ransomware without any ransom being paid. They also had seized the servers used by LockBit administrators and their publicly facing websites, disrupting the gang’s ability to launch new cyberattacks or follow through on threats to publish sensitive data that it hijacked.
The feds further revealed that LockBit had retained stolen data it had promised to delete if its ransom demands were met. There’s no honor among these now-discredited thieves, that’s for sure, and victims as of today would have no reason to cave into them.
The feds went on to offer a $10 million reward for information leading to Khoroshev’s arrest and even published a photo of the smirking accused hacker, who previously had kept his identity hidden. Khoroshev remains at large, presumably in the corrupt bubble of Vladimir Putin’s Russia. Even so, it’s good to see this comprehensive effort to bring cybercriminals to justice.
Message to Khoroshev: Better cancel any travel plans to the French Riviera or Monte Carlo, where arrest very likely would come swiftly. Instead, enjoy spending any ill-gotten loot close to home in Voronezh, a city better known for being destroyed during World War II than for luxurious pleasures.
Let’s hope the BlackSuit gang behind the attack on CDK gets similarly exposed, put out of business and thrown in jail for a long time.
Submit a letter, of no more than 400 words, to the editor here or email letters@chicagotribune.com.