Decipher File · June 19 to early July 2024 with partial restoration through July

CDK Global Ransomware (Jun 2024): 15,000 US Auto Dealerships Offline for 10+ Days

CDK Global, a dealer management software vendor used by approximately 15,000 US automotive and powersports dealerships, was hit by ransomware on June 19, 2024. The intrusion took down the SaaS dealer management system that handles sales, service, parts, accounting, financing, and inventory across the affected dealership network for more than 10 days. Public reporting attributed the intrusion to BlackSuit, a Russian-language ransomware-as-a-service group with prior incidents in 2023 and 2024. CDK Global is reported to have paid a ransom of approximately $25 million in bitcoin. Anderson Economic Group estimated total US auto dealership revenue impact at approximately $1 billion. Class action litigation against CDK Global was filed within weeks of the intrusion.

By·Published May 18, 2026·Last verified May 2026

MITRE ATT&CK techniques

T1078 Valid Accounts T1190 Exploit Public-Facing Application T1486 Data Encrypted for Impact T1490 Inhibit System Recovery T1567.002 Exfiltration to Cloud Storage

Incident summary

CDK Global, a dealer management software (DMS) vendor used by approximately 15,000 US automotive and powersports dealerships, was hit by ransomware on June 19, 2024. The SaaS DMS platform that CDK Global operates handles sales transactions, service work orders, parts inventory, accounting, dealer-side financing processing, customer relationship management, and inventory management across the affected dealer network. The intrusion took the SaaS platform offline across all customer dealerships for more than 10 days, with partial restoration phasing through late June and full restoration by early July 2024.

Public reporting from Bloomberg on June 21, 2024 attributed the intrusion to BlackSuit, a Russian-language ransomware-as-a-service group. BlackSuit is the rebranded continuation of Royal Ransomware, which was the subject of CISA-FBI joint cybersecurity advisory AA23-061A originally issued in March 2023 and updated for BlackSuit in 2024. Bloomberg's reporting also indicated that BlackSuit had demanded tens of millions of dollars in ransom. Bloomberg's June 21, 2024 reporting cited the ransom payment at approximately $25 million in bitcoin, paid by CDK Global. CDK Global has not formally confirmed the payment amount or the actor attribution in its public statements.

CDK Global initially attempted recovery on June 19, 2024 but suffered a second intrusion attempt during the recovery process, which extended the downtime. The second intrusion attempt was disclosed in CDK Global public statements without technical detail on the vector or the actor. The customer-side operational impact across the affected dealership network was severe. Dealerships reverted to paper-based sales transactions, hand-written service work orders, manual parts inventory tracking, and paper-based financing documentation. Anderson Economic Group estimated the cumulative US auto dealership revenue impact at approximately $1 billion across the downtime window.

Attack technique

Per CISA-FBI advisory AA23-061A on BlackSuit (and Royal) ransomware TTPs, the affiliate playbook combines initial access via valid accounts (T1078), exploitation of public-facing applications (T1190) where unpatched edge infrastructure is available, post-compromise reconnaissance, lateral movement, credential harvesting, data exfiltration to attacker-controlled cloud storage (T1567.002), and final ransomware deployment (T1486). Initial access vectors documented in the advisory include phishing, exposed Remote Desktop Protocol (RDP) endpoints, and exploitation of unpatched edge appliances. The CDK Global initial access vector has not been publicly confirmed by CDK or by federal advisories.

Post-compromise, BlackSuit affiliates use Cobalt Strike for command-and-control, run reconnaissance with built-in Windows administrative tools, and perform credential harvesting via Mimikatz and equivalent tooling. Lateral movement uses PsExec, WMI, and Server Message Block (SMB) abuse. Persistence is established through scheduled tasks, service installations, and account creation. The dwell time between initial access and ransomware deployment in BlackSuit operations typically runs days to weeks. The CDK Global case follows the pattern, though specific dwell time has not been publicly disclosed.

Ransomware deployment (T1486) targets file servers, database servers, and SaaS-hosting infrastructure to maximize the encryption footprint. BlackSuit binaries disable volume shadow copies and modify backup catalogs to inhibit recovery (T1490). The CDK Global multi-day recovery timeline indicates that the encryption affected a substantial portion of CDK's SaaS-hosting infrastructure, and that recovery required rebuilding services from offline backup tiers and reconstructing systems rather than simply decrypting in place. The second intrusion attempt during initial recovery, disclosed in CDK Global statements without further detail, suggests that the actor retained access to some CDK infrastructure during the initial recovery work.

The SaaS-vendor compromise pattern at CDK Global is operationally distinct from a typical enterprise ransomware victim. CDK Global serves approximately 15,000 dealer customers from a centralized SaaS infrastructure. A compromise of that centralized infrastructure produces near-simultaneous downtime across all 15,000 customers, multiplying the cumulative customer impact relative to the per-victim cost of compromising 15,000 individual dealerships. The pattern is operationally analogous to the Kaseya VSA incident in 2021 and the SolarWinds Sunburst incident in 2020, where compromise of a single vendor produced cascading impact across the vendor's customer base.

Impact and consequences

Customer-side operational impact across approximately 15,000 dealerships was severe. Sales transactions during the downtime were processed on paper, with subsequent reconciliation work that ran for weeks after CDK Global restored service. Service department work orders were hand-written and tracked in spreadsheets. Parts inventory tracking reverted to manual counts, with subsequent reconciliation against the restored CDK Global inventory data after service restoration. Dealer-side financing processing, which depends on CDK Global integration with lender systems, was substantially impaired during the downtime. New vehicle sales at affected dealerships declined materially during the downtime window.

Anderson Economic Group's estimate of approximately $1 billion in cumulative US auto dealership revenue impact captures the order of magnitude of the downstream business cost. The figure is per-dealer revenue impact aggregated across the affected network. Individual dealer financial impact varied widely depending on dealer size, monthly transaction volume, and the dealer's specific dependence on CDK Global for revenue cycle operations. Larger publicly-traded auto retail groups including AutoNation, Group 1 Automotive, Lithia Motors, and Sonic Automotive disclosed CDK-related operational impact in their Q2 2024 and Q3 2024 earnings reports.

CDK Global's own financial impact was substantial. The reported $25 million ransom payment, while a substantial figure, is small relative to the operational and remediation costs of the downtime and to the litigation exposure from affected dealer customers. CDK Global has not publicly disclosed its full incident-related financial impact since the company is privately held and does not publish detailed financial reporting. Trade press reporting indicated significant customer churn risk and contractual renegotiations through late 2024 and into 2025.

Litigation consequence was extensive. Class action lawsuits filed within weeks of the intrusion alleged that CDK Global had inadequate cybersecurity controls, that the SaaS architecture concentration risk had not been adequately disclosed to dealer customers, and that affected dealers were entitled to compensation for the operational and revenue impact. The litigation continued through 2024 and into 2025. The case became a reference point in the broader SaaS-vendor concentration risk conversation, alongside the Sisense incident, the Snowflake customer breaches, and the Microsoft Midnight Blizzard intrusion.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

› CDK Global SaaS dealer management system unavailable across approximately 15,000 US automotive and powersports dealerships starting June 19, 2024
› BlackSuit ransomware operator attribution per public reporting and consistent with CISA-FBI BlackSuit advisory AA23-061A indicators
› Second intrusion attempt during initial recovery on June 19, 2024 disclosed in CDK Global public statements
› CDK Global ransom payment of approximately $25 million in bitcoin per Bloomberg June 21, 2024 reporting
› Customer-side dealership operations reverted to paper-based sales, service work orders, parts inventory, and financing across affected dealers
› Class action litigation against CDK Global filed within weeks of the intrusion alleging inadequate cybersecurity controls

Lessons for defenders

SaaS-vendor concentration risk is a real and quantifiable business risk that requires explicit assessment. CDK Global's compromise produced near-simultaneous downtime across approximately 15,000 dealer customers because all customers depended on a single centralized SaaS infrastructure. Customers that depended on CDK Global without architectural fallback could not operate normally for the duration of the downtime. Evaluate every business-critical SaaS dependency for the same concentration risk pattern. Where the risk is material, architect for fallback: secondary SaaS providers, on-premise alternatives, paper-based business continuity procedures, or contractual SLA terms that produce financial compensation for extended downtime.

Paper-based business continuity procedures need to be pre-tested at scale. Dealers reverted to paper-based sales, service, parts, and financing operations during the CDK Global downtime, and the subsequent reconciliation work after service restoration was substantial. Pre-test paper-based business continuity at full operational scale before the first incident, including the reconciliation procedures after service restoration. The cost of inadequate pre-testing is severe operational friction during the downtime and substantial reconciliation cost after restoration.

Ransomware actor re-intrusion during recovery is a documented pattern, not an edge case. CDK Global suffered a second intrusion attempt during the initial recovery on June 19, 2024. The pattern is consistent with affiliate playbooks that retain persistence artifacts in environments where complete eviction has not been verified. Build into the incident response plan an eviction-verification step that confirms the actor's persistence artifacts (scheduled tasks, service installations, credentials, edge appliance configurations) have all been removed before restoring service. Restore service before eviction-verification, and re-intrusion during recovery is a real risk.

Vendor incident response coordination with customer base is a defensive control that benefits both vendor and customers. CDK Global's customer communication during the incident was reported in trade press as inadequate, with affected dealers reporting limited information about timeline, scope, and recovery progress. The customer communication friction amplified the operational and litigation impact of the incident. Build a vendor-incident customer-communication playbook before the first incident: who communicates what, on what cadence, through which channels. Regular cadenced communications during a downtime event reduces customer trust friction even when the technical news is not yet positive.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

Related Decipher Files

Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →

Frequently asked questions

What happened in the CDK Global ransomware attack?

CDK Global, a dealer management software vendor used by approximately 15,000 US automotive and powersports dealerships, was hit by ransomware on June 19, 2024. The SaaS dealer management platform was unavailable across the customer dealership network for more than 10 days, with partial restoration through late June and full restoration by early July 2024. Anderson Economic Group estimated the cumulative US auto dealership revenue impact at approximately $1 billion across the downtime window. CDK Global is reported to have paid a ransom of approximately $25 million in bitcoin.

Who attacked CDK Global?

Public reporting from Bloomberg on June 21, 2024 attributed the intrusion to BlackSuit, a Russian-language ransomware-as-a-service group and the rebranded continuation of Royal Ransomware. BlackSuit (and predecessor Royal) TTPs are documented in CISA-FBI joint cybersecurity advisory AA23-061A. CDK Global has not formally confirmed the actor attribution in its public statements. The Bloomberg reporting indicated BlackSuit demanded tens of millions of dollars in ransom and that CDK Global paid approximately $25 million.

How long was CDK Global down?

CDK Global's SaaS dealer management platform was unavailable across approximately 15,000 customer dealerships for more than 10 days starting June 19, 2024. Partial restoration phased through late June 2024 with full restoration by early July 2024. CDK Global suffered a second intrusion attempt during the initial recovery on June 19, 2024, which extended the downtime. The second intrusion was disclosed in CDK Global public statements without technical detail on the vector.

How much did the CDK Global cyberattack cost?

Anderson Economic Group estimated the cumulative US auto dealership revenue impact at approximately $1 billion across the downtime window. CDK Global is reported by Bloomberg to have paid a ransom of approximately $25 million in bitcoin, though CDK Global has not formally confirmed the payment amount. CDK Global's own full incident-related financial impact has not been publicly disclosed since the company is privately held. Larger publicly-traded auto retail groups disclosed CDK-related operational impact in their Q2 2024 and Q3 2024 earnings reports.

What happened at car dealerships during the CDK outage?

Dealerships across the affected network reverted to paper-based sales transactions, hand-written service work orders, manual parts inventory tracking, and paper-based financing documentation. Sales transactions during the downtime required subsequent reconciliation work that ran for weeks after CDK Global restored service. Dealer-side financing processing, which depends on CDK Global integration with lender systems, was substantially impaired. New vehicle sales at affected dealerships declined materially during the downtime window.

Did CDK Global pay the ransom?

Bloomberg's June 21, 2024 reporting cited the ransom payment at approximately $25 million in bitcoin, paid by CDK Global. CDK Global has not formally confirmed the payment amount or the fact of payment in its public statements. The pattern is consistent with ransomware-as-a-service operational practice where victims pay to receive decryption keys and to negotiate non-publication of exfiltrated data. The Change Healthcare case in early 2024 demonstrated that ransom payment does not guarantee data deletion, but CDK Global has not publicly disclosed whether exfiltrated data was a factor.

What can other organizations learn from the CDK Global incident?

SaaS-vendor concentration risk requires explicit assessment and architectural fallback for business-critical dependencies. Paper-based business continuity procedures need pre-testing at full operational scale, including post-restoration reconciliation procedures. Ransomware actor re-intrusion during recovery is a documented pattern requiring eviction-verification before service restoration. Vendor incident response coordination with customer base is a defensive control that benefits both vendor and customers, and the communication playbook should be pre-built before the first incident. Multifactor authentication on every public-facing identity surface remains a structural baseline control.

Sources

CDK Global Cybersecurity Event Public Statements · CDK Global's chronological public statements from June 19, 2024 through restoration
Bloomberg: CDK Hackers Demand Tens of Millions in Ransom · June 21, 2024 reporting on the ransom demand and attribution to BlackSuit
CNN Business: Car Dealerships Across the US Hit by CDK Cyberattack · CNN reporting on the dealer-side operational impact across the affected network
Anderson Economic Group: CDK Cyberattack Cost US Auto Dealers $1 Billion · Anderson Economic Group estimate of total US auto dealership revenue impact
CISA-FBI Joint Cybersecurity Advisory AA23-061A: BlackSuit Ransomware · Federal advisory on BlackSuit (and predecessor Royal) ransomware TTPs
Wall Street Journal: CDK Cyberattack Disrupts Auto Sales Nationwide · WSJ reporting on the cumulative auto-sales impact across the dealer network
Reuters: CDK Cyberattack Class-Action Lawsuits Filed · Reuters reporting on the class-action litigation filings against CDK Global

DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.

Last verified: 2026-05-18?Report an inaccuracy

This role lives inside a packaged path

Want the curriculum, comp delta, and recommended courses for this role?

DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:

Take the 2-min Risk Score →Open the cybersecurity path hub →

Where to go next

Three next steps depending on where you are. The first two are free.

Free · 2 minutes

Start with the AI Risk Score

Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.

Start the AI Risk Score →

Paid program · $147-$597

Aligned course: SOC Analyst Fundamentals

Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.

View the course →

Free account

Save your results and track progress

A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.

Create your account →

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

By subscribing you agree to our privacy policy. Unsubscribe anytime.