Ransomware Attack Affects Parts & Service Network for 15,000 Auto Dealerships

Pew said:
Complete shutdown of the system and restore from the backups would be the best bet but IT would have to figure out how far back they need to look in the backups to restore from. In my particular case, the ransomware was a zero-day and 'only' got 5 desktop computers but it also partially got into the backups. The desktops were easy to deal with - they just needed a fresh reimage. The backup drives had to be shipped to a data recovery company and was ~$30k+ in 2019 and they still couldn't get the data back, if I recall correctly. It took 11 hours myself to reimage the computers, trace it back to patient zero, and find out what was infected. The office was on the smaller side though, less than 25 employees and typically smaller offices like this can't or won't pay for services like off-site storage/backups and cannot afford or justify their own IT person so pretty much every employee had admin access to their computer because they didn't want to pay every time they needed to do anything that required admin access.
Click to expand...
Isn't the initial vulnerability still open however? Until you know how they got in, your still vulnerable?

I think CDK restarted the morning of the first hack, and went down again immediately. I had wondered if they simply tried to restart from backups and the hackers took advantage of the same hole the second time around?
 
Pew said:
It took 11 hours myself to reimage the computers, trace it back to patient zero, and find out what was infected.
Click to expand...
Impressive. So you had to dig into each backup and file to see which one was not infected?

Pew said:
every employee had admin access to their computer because they didn't want to pay every time they needed to do anything that required admin access.
Click to expand...
Yikes!

That's one of the reasons I appreciate removal storage. Simply remove the cassette, and your belongings are securely stored for as long as you need.
 
SC Maintenance said:
Isn't the initial vulnerability still open however? Until you know how they got in, your still vulnerable?

I think CDK restarted the morning of the first hack, and went down again immediately. I had wondered if they simply tried to restart from backups and the hackers took advantage of the same hole the second time around?
Click to expand...

Yea it depends on how the ransomware got in. The one I went through was relatively easy to deal with compared to other horror stories. I've heard about ransomware, but it was my only experience with ransomware; we traced the issue back to a user and the file. All the stories I've heard from coworkers or IT friends about ransomware were involving smaller firms that also didn't have their own dedicated IT person so everyone had admin access. I can't imagine having to deal with a system like CDK getting infected.


Owen Lucas said:
Impressive. So you had to dig into each backup and file to see which one was not infected?

Yikes!

That's one of the reasons I appreciate removal storage. Simply remove the cassette, and your belongings are securely stored for as long as you need.
Click to expand...

The owner of the consulting company and a sysadmin guy checked the backups and did a more in-depth investigation to the servers while I was finding the infected computers and files off their file server. I'm an IT admin of a separate company and can't dedicated that much of my time so I was just the "boots on the ground" guy.
 
Still down at my dealership and the surrounding ones. Rest of the ones down are still closed. We have been busy because they are all closed.
 
IMG_1290.webp
 
Pew said:
Yea it depends on how the ransomware got in. The one I went through was relatively easy to deal with compared to other horror stories. I've heard about ransomware, but it was my only experience with ransomware; we traced the issue back to a user and the file. All the stories I've heard from coworkers or IT friends about ransomware were involving smaller firms that also didn't have their own dedicated IT person so everyone had admin access. I can't imagine having to deal with a system like CDK getting infected.




The owner of the consulting company and a sysadmin guy checked the backups and did a more in-depth investigation to the servers while I was finding the infected computers and files off their file server. I'm an IT admin of a separate company and can't dedicated that much of my time so I was just the "boots on the ground" guy.
Click to expand...

Back years ago, I actually played around with ransomware that could be found online. I used it with the programs like Returnil ( reboot and restore software program ) and they always passed. As soon as the PC was rebooted,all was well.
 
Pew said:
Talk about coincidence.

We just got hit with ransomware because some user decided to plugin their infected USB drive. Fun fun fun. There goes my weekend.
Click to expand...

At a previous job that was one of the things a security test did. Dropped random USB drives in the parking lot and check to see if anyone plugs them in.
Thankfully, no one did.
 
SwampSurvivor said:
At a previous job that was one of the things a security test did. Dropped random USB drives in the parking lot and check to see if anyone plugs them in.
Thankfully, no one did.
Click to expand...

That's a pretty good test. I wish I was able to lock ours down to that point but from our remote work nature, it would have significantly affected the end users. However because of my situation, at this point I have no choice but to lock down all USB ports from functioning and give out company-specific encrypted USB drives.

EDIT: If anybody was wondering, it's the Akira ransomware Linux variant that attacks VMWare ESXI because some do-jo user had a bunch of cracked "office 365" on their usb drive.
 
Last edited:
Pew said:
That's a pretty good test. I wish I was able to lock ours down to that point but from our remote work nature, it would have significantly affected the end users. However because of my situation, at this point I have no choice but to lock down all USB ports from functioning and give out company-specific encrypted USB drives.

EDIT: If anybody was wondering, it's the Akira ransomware Linux variant that attacks VMWare ESXI because some do-jo user had a bunch of cracked "office 365" on their usb drive.
Click to expand...

Have you checked to see if your AV solution can disallow USB mass storage on endpoints? Previous org had that through the AV and we'd allow specific HWIDs for specific approved USB drives but there were like a total of 10 we allowed. Otherwise It'd just shut it down and alert us.
 
Owen Lucas said:
Pen, paper, and a file cabinet? :LOL:
Click to expand...
Yes. I worked for the 911 Police and Fire Dispatch for Santa Clara County as a programmer administrator of the computer GPS and Records application.
The dispatchers are the ultimate cool heads. If the system faltered, they seamlessly failed over to a huge circular file card system. Their desk and phones surrounded the system.

Sit and listen to them for an hour, especially after hours; it will bring you to you knees. They actually have a quiet room if things get too tough. "He hit you where Mam?"

Those people are bulletproof.
 
You must log in or register to reply here.

Similar threads

M
1 Week Review - 2025 Toyota Tacoma Hybrid Limited
3 4 5
Replies
84
Views
20K
mikeduf
B
  • Locked
Dealership service
2
Replies
22
Views
5K
tigrpal
dave1251
  • Locked
Exxon Mobil
Replies
19
Views
16K
MolaKule
B
  • Locked
25 THINGS ABOUT TO BECOME EXTINCT IN AMERICA
2 3 4
Replies
62
Views
22K
M56959
The Critic
  • Locked
Audi Transmission Story
Replies
10
Views
6K
vw7674
Back
Top Bottom