Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Commentary by Aaron Walton Threat Intel Analyst about CDK Cyberattack

June 2024 by Aaron Walton Threat Intel Analyst

Coming to share reactive commentary from Expel Threat Intel Analyst Aaron Walton, following the CDK Global cyberattack reversing the technological clock for thousands of car dealers. On June 19th, a group suspected to be based in Eastern Europe hacked into CDK Global, demanding tens of millions in ransom. Although CDK initially restored some services shortly after the attack, they were forced to shut down again due to a second attack. This outage severely disrupted sales, interrupted repairs, and delayed deliveries across an industry that had reached $1.2 trillion in U.S. sales last year. Commentary by Aaron Walton Threat Intel Analyst:

“Something we haven’t seen discussed about the CDK Global ransomware attack is that after the initial incident, the company temporarily restored some systems before threat actors took them down—again.

During an incident, security teams are under heavy pressure to get systems back into service; however, great care needs to be taken during an incident. The series of events in this incident suggests that the ransomware actors were aware that CDK Global restored some systems. Unfortunately, it appears the criminals were still in CDK’s network, allowing them to compromise the systems a second time.

Victims restoring from backup threatens ransomware actors’ chances of receiving their demands. As a result, ransomware actors attempt to encrypt or delete backups to further force the hand of the victim organization to pay the ransom. Often ransomware actors will remain in the environment they’ve compromised and monitor communications from the victim. This gives the actor additional leverage and time to take preemptive action, should a victim attempt to find alternative solutions to paying the ransom.

Defending against ransomware requires preparedness and good cyber hygiene. This work should include readiness plans and table-top exercises, giving you a clear guide on how to communicate during an incident. Most organizations will use an Out-of-Band communication method, such as dedicated email addresses or phone numbers, to ensure they are not being monitored by an adversary. These plans should also include guidelines on when it is safe to restore systems and processes for doing so. Not having such plans can result in further issues like the attacker lurking within the network through a backdoor or returning through their original entry point.”

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts