stnazkul - stock.adobe.com

Ransomware hits CDK Global, public sector targets in June

The prevalent threat continued to cause disruptions last month as city halls were forced to close and auto dealerships faced downstream effects after an attack against CDK Global.

While one of June's most significant ransomware attacks occurred against software vendor CDK Global, the threat also heavily affected local governments and brought public services to a standstill.

Ransomware attacks continued against the public sector last month. Several U.S.-based schools and cities reported network disruptions in June that forced closures and difficult ransom demand decisions.

Though local governments, cities and schools took the brunt of the attacks, CDK Global suffered a ransomware attack that highlighted how disruptive the threat continues to be for victim organizations.

On June 18, Illinois-based CDK Global began experiencing outages due to a ransomware attack. CDK Global is an automotive technology provider that currently serves 15,000 dealerships. In a statement to The Record, CDK Global spokesperson Lisa Finney said the vendor proactively forced most of its systems offline to contain the attack, which caused disruptions that significantly affected its downstream customers.

One customer, Sonic Automotive, said in an 8-K filing on June 19 that CDK was notifying customers that certain system operations were suspended.

"As a result, the Company experienced disruptions to its dealer management system ('DMS') hosted by CDK, which supports critical dealership operations including those supporting sales, inventory and accounting functions and its customer relationship management ('CRM') system," Sonic Automotive wrote in the 8-K form.

That same day, Bleeping Computer reported that CDK suffered a second attack amid restoration efforts. Then, two days later, the cybersecurity news outlet revealed that the attackers were calling customers and posing as CDK agents to gain access to their systems. The technique, known as vishing, has been increasing across the threat landscape. The BlackSuit ransomware gang claimed responsibility for the CDK attack.

As of last Monday, USA Today reported that CDK said operations would resume on Thursday.

In another private sector ransomware attack, Patelco Credit Union in Dublin, Calif., confirmed that it suffered an attack on June 29 that hindered customers' access to their financial accounts. Patelco forced systems offline to contain the attack, which affected online banking services, the credit union's mobile app and call center operations. Subsequently, services such as transfers, direct deposits, balance inquiries and payment systems were all unavailable to customers.

Patelco said it's working with cybersecurity experts, law enforcement and regulators in response to the incident. The credit union assured customers that it would reimburse late payment fees that accrue from the outages. Patelco added that it would write letters on customers' behalf over credit score concerns.

Customers were also advised that Patelco ATMs could continue to experience intermittent outages throughout the recovery process. "Currently, you can access the funds from your direct deposit by writing a check, using an ATM card to get cash or make a purchase," Patelco wrote in a July 2 update. "We don't take lightly how severely this has impacted our members."

Public sector attacks continue

Traverse City, Mich., disclosed that it suffered a ransomware attack on June 12 that affected city government operations as well as public offices in Grand Traverse County. The city forced systems offline as a proactive measure and engaged law enforcement in an investigation. In the latest update on June 14, the city said the nonemergency number for public safety services was restored, but water, sewer and tax payment services remained down.

On June 25, The Ticker reported that Traverse City commissioners voted to update the city's insurance policy in response to the attack. Now, the city has a policy that provides $2 million in aggregate coverage for cybersecurity-related incidents, according to the local news outlet. Like the CDK incident, BlackSuit also claimed responsibility for the attack during communications with the city.

Newberg-Dundee Public Schools in Oregon also suffered a ransomware attack on June 12. The Newberg Graphic reported that the attack affected the school's ability to wrap up the end of the school year. The article also highlighted a statement from Superintendent Paula Radich that revealed system access and data were disrupted due to the attack. Radich added that the district was "already taking steps to protect our data" and said it was difficult to assess when systems would be fully restored.

City halls close

Another one of June's most significant attacks occurred against the Cleveland city government. Cleveland City Hall disclosed that the city suffered a cybersecurity incident on June 10 that forced it to shut down affected systems and close City Hall for nearly two weeks. Cleveland residents could not submit payments, permits, or building or housing applications. In an update on June 18, the city said some operations would resume on June 20.

"Despite the temporary closure of City Hall, essential city services, including Public Safety, waste collection, recreation centers, operations at the airport, Cleveland Public Power, Water and Water Pollution Control, have been operating normally to ensure the continued wellbeing and safety of our residents," the city wrote in the update.

According to another update posted to the city's Facebook page, City Hall reopened on June 20, 10 days after the initial attack. On June 19, ABC News 5 Cleveland revealed additional information on the city's ransom demand. In a statement to the news channel, Sarah Johnson, the City of Cleveland's chief communications officer, said the city had no intention of paying a ransom at that time. An investigation into the extent of data theft was also ongoing.

The BlackByte ransomware group claimed responsibility for a June 10 attack against the City of Newburgh, N.Y. On June 14, the city disclosed the incident and said it affected some public services, such as payments for property taxes, water, sewer, sanitation and parking. There were also "minor disruptions" to the police, fire, water, engineering and recreation department operations.

Newburgh said City Hall reopened on June 17 after restoring city phone and email services.

"The City's systems to process and accept payments will be phased in over the next seven-to-ten days, and a grace period for late property tax, water, sewer, and sanitation payments during this downtime to the City's payment systems will be established," the City of Newburgh wrote in the statement.

In a statement to Westchester News 12 on June 12, Orange County Executive Steve Neuhaus confirmed that the incident was ransomware. Neuhaus also revealed that the city issued emergency laptops and communication tools to the Newburgh Police Department.

On June 20, Mid Hudson News revealed that Newburgh held a $1 million cyber insurance policy. Newburgh City Mayor Torrance Harvey told the media outlet that the details of a possible ransom payment were left to the insurance company and the FBI. While it is unclear whether the city paid or not, services were being restored as of June 20.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Next Steps

July ransomware attacks slam public sector organizations

Dig Deeper on Data security and privacy