10:00 AM
Connect Directly

NASCAR Race Team Learns Ransomware Lesson The Hard Way

Pays ransom to save $2 million worth of information, warns others of the dangers.

Dave Winston had heard stories about people who had to pay money to get access to hijacked computer files, but like many everyday computer users going about their business, he didn't put much credence to the rumors. He wasn't familiar with the term ransomware and he didn't know what a Bitcoin was: But all that changed for the NASCAR Sprint Cup crew chief one day this spring when all of the files he depended upon to tweak his team's valuable race car specs had been encrypted by cybercriminals.

Winston and his colleagues with Circle Sport-Leavine Family Racing are coming forward today to talk about their very personal experience with Teslacrypt ransomware back in April -- to warn others of the reality of ransomware so that fewer businesses and computer users in their position don't have to learn the hard way.

"We learned first-hand that it’s a fact and it happens," Winston says. "So that’s what we’re hoping to be able to do is to spread the word and the knowledge, and have people understand that this is something that’s going to happen more and more and you have to protect yourself."

Circle Sport-Leavine Family Racing is a close-knit team with a small IT footprint of only about 10 computers. Prior to the ransomware attack, nobody on the team was super-savvy about backing up files or choosy about anti-malware packages. Each user was pretty much responsible for using whatever default antivirus came on the computer out-of-the box and there were no standards for protection. Things like ransomware and malware attacks simply weren't on the team's radar--they were too busy tuning their cars to perform well in the Sprint Cup series races.

As crew chief, Winston depends on his computer to store valuable and sensitive information vital to competing in the series.

"It was any information you could possibly imagine, whether it was track set-up information, car chassis information, wind tunnel information, personnel information, or parts information," he says. "Everything was on my computer and there were spreadsheets I used to determine setups and things like that in the car as we went from racetrack to racetrack." 

When he was confronted by the pop-up box that all of his data and files had been encrypted and he had to pay a ransom, he thought, "This can't be." So he tried to open another one. And another one. Soon, the panic kicked in.

He got four or five of his teammates around the table and they tried to figure out what happened. After hours of research on ransomware and the thought of losing what they estimated to be $2 million worth information just a few days before their cars were set to hit the next racetrack, they decided to bite the bullet. Considering that it would have taken the team 1,500 man-hours to recreate the data, they felt paying off the bad guys was their only option.

They found a Bitcoin ATM just a few miles away from them, loaded up with $500 worth of the digital currency, crossed their fingers and paid the extortionists. After a night sweating it out, the criminals did come through with an encryption key. But the next morning when they tried to apply it, they couldn't get it to work.

That's when they went to get help from their technical alliance partners at the Richard Childress Racing team, which does have an IT staff. Not only did they help them apply the key, but they got Circle Sport-Leavine Family Racing on the path toward future protection by steering them over to Malwarebytes and offering best practice advice on things like backup procedures and establishing standard security set-ups across all of their computers.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

According to Nathan Scott, technical manager for ransomware for Malwarebytes, Winston and his team are not alone in learning about ransomware the hard way. It's the reason why ransomware is what he calls "the biggest threat of all time" and "technology's worst nightmare"--because there are lots of other anonymous victims out there just like this NASCAR team who bend to the simple but effective extortion.  

According to Malwarebytes information, instances of ransomware in exploit kits have increased by about 44% in the last six months alone.

Related Content:


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
6/29/2016 | 12:49:37 AM
I liked that article. Precise timing would set that off.
It even ended on a good note with the infosec teams working together

Perhaps with a RAT module incorporated into the ransomware, the attackers could have at least seen what kind of data that they were working with and get a chance to demand more money or sabotage the team.  /s
downvotes in 3.2.1..
User Rank: Apprentice
6/28/2016 | 8:24:57 AM
Was data integrity verified?
While the ransomware hackers are generally only interested in the Bitcoins and can otherwise be very helpful in recovering your data, I have to imagine that some hackers may also take the opportunity to make changes to the data.  In this specific example, a change in the settings associated with the race track and car could result in dangerous or even deadly crashes.  In a health care environment, a change in patients' allergies could result in complications or death.

Without backups how can anyone verity the integrity of the data?  It's likely there's lots of "trusting" that the hacker didn't change any data! 
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.