NEW YORK: A hacking group called BlackSuit is behind the cyberattack on CDK Global that’s paralysed car sales across the United States, according to Allan Liska, a threat analyst at the security firm Recorded Future Inc.

The cybercrime group has demanded an extortion fee in the 10s of millions of dollars from CDK, which plans to make the payment, Bloomberg News reported.

CDK’s name was not listed on Monday on the website where BlackSuit names its extortion victims, a possible indication that the company is still in negotiations with the group or has paid a ransom, said Liska, who specialises in ransomware investigations and has been in discussions with those involved in the CDK case.

CDK declined to comment about the identity of the attackers on Monday.

The company expects to restore services within the coming days and is working with law enforcement, company spokesperson Lisa Finney said.

The US Department of Health and Human Services recently declared in an alert that BlackSuit should be “closely watched” as a threat, in part because of the gang’s ties with other extortion groups.

It uses malware and attack techniques that are remarkably similar to the defunct Russian-speaking Conti gang, suggesting to cyber researchers that BlackSuit is partly made up of experienced Russian hackers.

The group functions as a ransomware-service gang, in which members lease their technical tools to affiliates and demand a cut of any extortion payments.

BlackSuit has potential ties with another group known as Royal Ransomware, according to Jon Clay, a threat intelligence researcher at the cybersecurity firm TrendMicro.

BlackSuit’s malicious software shares code with Royal Ransomware tools, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

The extent to which the groups are made of the same people remains unclear.

Royal Ransomware targeted at least 350 victims and demanded more than US$275mil in ransom fees in 2022 and 2023, according to the FBI and CISA, a unit of the Department of Homeland Security.

 - Bloomberg