Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/24/2016
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

NASCAR Race Team Learns Ransomware Lesson The Hard Way

Pays ransom to save $2 million worth of information, warns others of the dangers.

Dave Winston had heard stories about people who had to pay money to get access to hijacked computer files, but like many everyday computer users going about their business, he didn't put much credence to the rumors. He wasn't familiar with the term ransomware and he didn't know what a Bitcoin was: But all that changed for the NASCAR Sprint Cup crew chief one day this spring when all of the files he depended upon to tweak his team's valuable race car specs had been encrypted by cybercriminals.

Winston and his colleagues with Circle Sport-Leavine Family Racing are coming forward today to talk about their very personal experience with Teslacrypt ransomware back in April -- to warn others of the reality of ransomware so that fewer businesses and computer users in their position don't have to learn the hard way.

"We learned first-hand that it’s a fact and it happens," Winston says. "So that’s what we’re hoping to be able to do is to spread the word and the knowledge, and have people understand that this is something that’s going to happen more and more and you have to protect yourself."

Circle Sport-Leavine Family Racing is a close-knit team with a small IT footprint of only about 10 computers. Prior to the ransomware attack, nobody on the team was super-savvy about backing up files or choosy about anti-malware packages. Each user was pretty much responsible for using whatever default antivirus came on the computer out-of-the box and there were no standards for protection. Things like ransomware and malware attacks simply weren't on the team's radar--they were too busy tuning their cars to perform well in the Sprint Cup series races.

As crew chief, Winston depends on his computer to store valuable and sensitive information vital to competing in the series.

"It was any information you could possibly imagine, whether it was track set-up information, car chassis information, wind tunnel information, personnel information, or parts information," he says. "Everything was on my computer and there were spreadsheets I used to determine setups and things like that in the car as we went from racetrack to racetrack." 

When he was confronted by the pop-up box that all of his data and files had been encrypted and he had to pay a ransom, he thought, "This can't be." So he tried to open another one. And another one. Soon, the panic kicked in.

He got four or five of his teammates around the table and they tried to figure out what happened. After hours of research on ransomware and the thought of losing what they estimated to be $2 million worth information just a few days before their cars were set to hit the next racetrack, they decided to bite the bullet. Considering that it would have taken the team 1,500 man-hours to recreate the data, they felt paying off the bad guys was their only option.

They found a Bitcoin ATM just a few miles away from them, loaded up with $500 worth of the digital currency, crossed their fingers and paid the extortionists. After a night sweating it out, the criminals did come through with an encryption key. But the next morning when they tried to apply it, they couldn't get it to work.

That's when they went to get help from their technical alliance partners at the Richard Childress Racing team, which does have an IT staff. Not only did they help them apply the key, but they got Circle Sport-Leavine Family Racing on the path toward future protection by steering them over to Malwarebytes and offering best practice advice on things like backup procedures and establishing standard security set-ups across all of their computers.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

According to Nathan Scott, technical manager for ransomware for Malwarebytes, Winston and his team are not alone in learning about ransomware the hard way. It's the reason why ransomware is what he calls "the biggest threat of all time" and "technology's worst nightmare"--because there are lots of other anonymous victims out there just like this NASCAR team who bend to the simple but effective extortion.  

According to Malwarebytes information, instances of ransomware in exploit kits have increased by about 44% in the last six months alone.

Related Content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hewenthatway
0%
100%
hewenthatway,
User Rank: Strategist
6/29/2016 | 12:49:37 AM
I liked that article. Precise timing would set that off.
It even ended on a good note with the infosec teams working together

Perhaps with a RAT module incorporated into the ransomware, the attackers could have at least seen what kind of data that they were working with and get a chance to demand more money or sabotage the team.  /s
downvotes in 3.2.1..
laurie.tyz
100%
0%
laurie.tyz,
User Rank: Apprentice
6/28/2016 | 8:24:57 AM
Was data integrity verified?
While the ransomware hackers are generally only interested in the Bitcoins and can otherwise be very helpful in recovering your data, I have to imagine that some hackers may also take the opportunity to make changes to the data.  In this specific example, a change in the settings associated with the race track and car could result in dangerous or even deadly crashes.  In a health care environment, a change in patients' allergies could result in complications or death.

Without backups how can anyone verity the integrity of the data?  It's likely there's lots of "trusting" that the hacker didn't change any data! 
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...