As reported by multiple media outlets including Bloomberg, Bleeping Computer, and the Associated Press, a massive outage has hit a Software as a Service (or “SaaS”) provider that caters to thousands of automotive dealerships across North America. This ransomware attack was apparently perpetrated by the BlackSuit gang. As of the time of this writing, the SaaS provider is reportedly negotiating with the threat actors to receive a decryption key, along with a commitment not to disclose any sensitive data that may have been taken. In the meantime, the SaaS provider carried out a precautionary shutdown of its IT systems and data centers. An attempt to restore services in the days following the attack was quickly aborted in the wake of a second incident on their network.
This attack has disrupted car dealerships from coast to coast, leaving dealers scrambling to locate parts, move inventory, and secure financing. The SaaS provider has not yet confirmed whether customer data has been breached, but just the lost income and extra expense associated with having a key software provider go offline is proving challenging to impacted businesses. Dealers are resorting to pen and paper to continue running, and some motorists are reporting that the sale of new vehicles or servicing of their existing ones has been delayed. As dealers strive to develop workarounds, the SaaS provider has warned that threat actors have even taken to contacting dealers and pretending to be authorized agents of the SaaS provider, in the hopes of gaining access to the dealers’ systems. Despite these challenges, some dealers are reporting that connectivity to the SaaS provider has slowly begun to be restored.
The BlackSuit ransomware gang surfaced in May of last year and is believed to be comprised of Russian and East European hackers and extortionists who have reconstituted themselves from other ransomware gangs that have either disbanded or been busted by law enforcement. Late last year, the FBI and the Cybersecurity Infrastructure and Security Agency issued a statement noting that some of the group’s coding and encryption methods appear to resemble that of the now defunct Royal ransomware gang, a group that perpetrated cyberattacks on over 350 organizations around the globe in its brief but notorious existence.
The fact that the SaaS provider has been opaque about the possible breach of customer data has not deterred at least two plaintiffs from filing putative class action lawsuits on behalf of aggrieved customers. The complaints, both filed in federal court in Illinois, allege that the SaaS provider failed to implement adequate data security safeguards. The lawsuits seek monetary damages from the SaaS provider, as well as injunctive relief in the form of enhanced privacy controls and a purge of existing customer records.