Private Equity vs. “Barbarians” at the Gates: The Race to Ruin
By the time you’ve read this, you may or may not have heard about the CDK Global ransomware attack. This attack not only is holding CDK Global (a market leader in car dealership software) hostage but by extension, roughly 15,000 US car dealerships as well. No software, no parts, no service. Some dealerships closed up shop, and some made the decision to return to paper and pencil for orders, giving hundreds of service managers hand cramps just thinking about it. As of writing this June 20th, 2024, CDK Global still has not restored functionality and has suggested dealerships sever their always-on VPN connections to CDK’s data center, out of the fear that the attackers still have access to CDK and will use that connection to pivot to attacking the dealerships directly. The barbarians have gotten through the gate, they’ve set up a picnic and took a shit in the village well, and private equity is directly to blame.
As one of my new favorite tech writers Nikhil Suresh said in his latest blog “I Will Fucking Piledrive You If You Mention AI Again”,
Whenever there is a ransomware attack, it is revealed with clockwork precision that no one has tested the backups for six months and half the legacy systems cannot be resuscitated — something that I have personally seen twice in four fucking years. Do you know how insane that is?
as an information security professional with years of both red team and blue team experience, this is ABSOLUTELY the case. I can tell you first-hand that the first thing to get cut when private equity rolls through the front door is cost-centers, and infosec is viewed as a cost-center on balance sheets to finance guys who spent their time in college doing keg handstands and calling people who produce value for others plebs. Unless you’re running an infosec consulting firm, from the view of private equity security professionals do not add any direct value to a balance sheet the way devs building a SaaS product do, and usually are the first on the chopping block to be cut. The main people who defend the gates of the village (the company) from the barbarians (hackers) are the first sent off to exile when the tribe is short on food.
But the tribe isn’t short on food, it’s short on fairness. And the reason it's short is that CDK Global allowed the greedy beast that is private equity to make grand fucking meals for themselves while allowing everyone to slowly starve, extracting every bit of grain from the village before seeking another village to impoverish while fattening themselves, and in the meantime leave the previous village open to raiders and barbarians. There’s functionally no difference between private equity and ransomware attackers in their cruelty, one is just more honest about what and who they are and is far more technically skilled at achieving that goal.
When the private equity beast comes to town, it is always hungry yet full of promises. It will eat all your profits while promising more food is coming. It will eat your firewalls and tell you everyone will be protected as long as you watch this short video about how to properly check your mail, never mind the trebuchets and slings the barbarians also use. But once the food stores are gone, the walls nothing but stumps of foundation, and the village is just a shade of its former self, the beast departs, claiming none of this would have happened had the village “just been more productive.”
CDK Global has at the helm Brian McDonald, and this isn’t the first time he’s shit the bed at CDK Global and made their product worse through massive layoffs of entire departments necessary for core business functions to make his pockets a bit fatter when bonus time came around. His sheer incompetence led to his firing (and an 8-figure golden parachute), and now he’s back, he brought the beast of private equity with him, and it's HUNGRY. First, they outsourced all support to a third-party company (who in turn rehired most of the laid-off CDK workers, at a lower rate than previously were paid of course). These are not the actions of a village seeking to grow. This is a village selling off its bricks for a quick buck, hoping the beast will eat all of the food stores before the barbarians get a chance to notice the cooks and accountants defending the village.
But the barbarians did notice, and now the food stocks are welded shut until they get what they want, and the beast doesn’t know shit about welding, lockpicking, or metallurgy. The beast only knows consumption, and it will turn on the villagers and demand they open the doors lest the beast consumes them too. The problem is that all those villagers who could open the gate, the villagers responsible for maintaining the village's infrastructure, invisible, unnoticed work, are all out to pasture. Some have found other villages to work in, and some are still out in the wilderness, starting their own villages.
It’s been at least 2 days since the ransomware attack with no fix in sight, which tells me a few things on this list have to be true:
- They have no backups, or
- if they do have backups, they are outdated or never tested, which is effectively the same as having no backups.
- No one knows how to restore backups.
- There is no disaster recovery plan, or if it exists it is outdated to the point of uselessness.
- Multiple single points of failure are baked into the infrastructure.
- They have no idea how compromised they are.
Theoretically, in a mature SaaS organization, you should be able to lose any single critical part of your core business and should be able to restore functionality within 24 hours (barring a massive natural disaster/personnel losses). After all, it's the literal reason business continuity and disaster recovery plans exist. They aren’t written because infosec people just love catastrophizing for funsies.
Lose a server, your orchestration software should spin up a replacement. Lose a database, your SREs should be able to pull a backup from your daily backups from a known good version after initial forensics. VPN gets compromised? Should have a secondary out-of-band connection to refresh the tunnel and generate new client files if necessary to send to customers. This is what those villagers who are seen as unnecessary cost centers do. This is where their value is seen and understood, but now everyone is in the town square hungry and fucking pissed wondering why those people had to leave.
Meanwhile, the barbarians have locked themselves inside the food stores and they are eating good, waiting on the private equity beast to do the one thing it’s designed not to do: share its food. And the beast? It’s shrugging their shoulders and asking “Which villager seems the tastiest to eat in the meantime?”
The real barbarians were inside the village the whole time.
If you like my writing, feel generous, and want me to continue to austim rant on your screens, buy me a coffee (though New Zealand has gotten me addicted to tea) at https://ko-fi.com/blacktonystark