Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/24/2016
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

NASCAR Race Team Learns Ransomware Lesson The Hard Way

Pays ransom to save $2 million worth of information, warns others of the dangers.

Dave Winston had heard stories about people who had to pay money to get access to hijacked computer files, but like many everyday computer users going about their business, he didn't put much credence to the rumors. He wasn't familiar with the term ransomware and he didn't know what a Bitcoin was: But all that changed for the NASCAR Sprint Cup crew chief one day this spring when all of the files he depended upon to tweak his team's valuable race car specs had been encrypted by cybercriminals.

Winston and his colleagues with Circle Sport-Leavine Family Racing are coming forward today to talk about their very personal experience with Teslacrypt ransomware back in April -- to warn others of the reality of ransomware so that fewer businesses and computer users in their position don't have to learn the hard way.

"We learned first-hand that it’s a fact and it happens," Winston says. "So that’s what we’re hoping to be able to do is to spread the word and the knowledge, and have people understand that this is something that’s going to happen more and more and you have to protect yourself."

Circle Sport-Leavine Family Racing is a close-knit team with a small IT footprint of only about 10 computers. Prior to the ransomware attack, nobody on the team was super-savvy about backing up files or choosy about anti-malware packages. Each user was pretty much responsible for using whatever default antivirus came on the computer out-of-the box and there were no standards for protection. Things like ransomware and malware attacks simply weren't on the team's radar--they were too busy tuning their cars to perform well in the Sprint Cup series races.

As crew chief, Winston depends on his computer to store valuable and sensitive information vital to competing in the series.

"It was any information you could possibly imagine, whether it was track set-up information, car chassis information, wind tunnel information, personnel information, or parts information," he says. "Everything was on my computer and there were spreadsheets I used to determine setups and things like that in the car as we went from racetrack to racetrack." 

When he was confronted by the pop-up box that all of his data and files had been encrypted and he had to pay a ransom, he thought, "This can't be." So he tried to open another one. And another one. Soon, the panic kicked in.

He got four or five of his teammates around the table and they tried to figure out what happened. After hours of research on ransomware and the thought of losing what they estimated to be $2 million worth information just a few days before their cars were set to hit the next racetrack, they decided to bite the bullet. Considering that it would have taken the team 1,500 man-hours to recreate the data, they felt paying off the bad guys was their only option.

They found a Bitcoin ATM just a few miles away from them, loaded up with $500 worth of the digital currency, crossed their fingers and paid the extortionists. After a night sweating it out, the criminals did come through with an encryption key. But the next morning when they tried to apply it, they couldn't get it to work.

That's when they went to get help from their technical alliance partners at the Richard Childress Racing team, which does have an IT staff. Not only did they help them apply the key, but they got Circle Sport-Leavine Family Racing on the path toward future protection by steering them over to Malwarebytes and offering best practice advice on things like backup procedures and establishing standard security set-ups across all of their computers.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

According to Nathan Scott, technical manager for ransomware for Malwarebytes, Winston and his team are not alone in learning about ransomware the hard way. It's the reason why ransomware is what he calls "the biggest threat of all time" and "technology's worst nightmare"--because there are lots of other anonymous victims out there just like this NASCAR team who bend to the simple but effective extortion.  

According to Malwarebytes information, instances of ransomware in exploit kits have increased by about 44% in the last six months alone.

Related Content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hewenthatway
0%
100%
hewenthatway,
User Rank: Strategist
6/29/2016 | 12:49:37 AM
I liked that article. Precise timing would set that off.
It even ended on a good note with the infosec teams working together

Perhaps with a RAT module incorporated into the ransomware, the attackers could have at least seen what kind of data that they were working with and get a chance to demand more money or sabotage the team.  /s
downvotes in 3.2.1..
laurie.tyz
100%
0%
laurie.tyz,
User Rank: Apprentice
6/28/2016 | 8:24:57 AM
Was data integrity verified?
While the ransomware hackers are generally only interested in the Bitcoins and can otherwise be very helpful in recovering your data, I have to imagine that some hackers may also take the opportunity to make changes to the data.  In this specific example, a change in the settings associated with the race track and car could result in dangerous or even deadly crashes.  In a health care environment, a change in patients' allergies could result in complications or death.

Without backups how can anyone verity the integrity of the data?  It's likely there's lots of "trusting" that the hacker didn't change any data! 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16192
PUBLISHED: 2020-08-05
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
CVE-2020-17364
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
CVE-2020-4481
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-5608
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
CVE-2020-5609
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...