Several large car-dealership companies in the U.S. filed notices with regulators on Friday in relation to a ransomware attack on CDK Global that has stymied work at thousands of dealers across North America over the last week. 

Lithia Motors, Group 1 Automotive, Penske and Sonic Automotive warned the U.S. Securities Exchange Commission (SEC) that they are all facing disruptions because CDK Global had to shut down its systems in response to the attack, which began last Tuesday. 

The company’s flagship product provides a software as a service platform used by dealerships to manage customer relationships, sales, financing, service, inventory and back-office operations.

All of the SEC filings say the companies have had to implement incident response plans to continue operating while the system is down. Lithia Motors, Sonic Automotive and Group 1 Automotive each said they severed all connections to CDK as a precautionary measure but found no evidence of compromise on their systems. 

Sonic Automotive noted that as of Friday, it is still unknown the “extent to which the threat actor accessed any customer data.”

“While this incident has had, and is likely to continue to have, a negative impact on the Company’s business operations until the relevant systems are fully restored, the Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” Lithia said. 

Group 1 wrote that CDK believes the dealer management system will be restored in “several days and not weeks.” The company will only know whether its finances are materially affected based on the amount of time the system is down.  

Penske said the outage primarily affected its Premier Truck Group — which sells heavy- and medium-duty trucks at 48 locations across 11 states and provinces in the U.S. and Canada. The filing says it “has implemented its business continuity response plans and continues to operate at all locations through manual or alternate processes developed to respond to such incidents.”

“The commercial truck dealership business has lower unit volumes than the automotive dealership business and principally serves business customers,” Penske explained. 

Bloomberg reported late on Friday that CDK is negotiating with the ransomware gang behind the attack, which BleepingComputer later reported to be the BlackSuit ransomware gang. BlackSuit is a rebrand of the Royal ransomware group that launched a devastating attack on the city government of Dallas last year. 

According to Bloomberg, CDK is planning to pay the ransom, the amount of which was not disclosed. 

CDK has set up phone numbers with prerecorded messages warning customers that it has received reports of hackers posing as members of CDK staff in an effort to get access to systems. 

CDK was on its way to recovering from the attack last week before suffering a setback on Thursday — prompting the complete shut down of the company’s systems. 

“Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems. In partnership with third party experts, we are assessing the impact and providing regular updates to our customers,” a company spokesperson told Recorded Future News. 

More than 15,000 car dealers across North America use CDK Global’s systems for nearly every aspect of their operations — including facilitating car sales, repairs, registrations and more.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.