Article Lead Image

Photo via Daniel Huerlimann-BEELDE / Shutterstock.com Remix by Jason Reed

How one NASCAR team was held hostage by a hacker and forced to pay a ransom for its data

Malware made racing team hit the brakes.

 

AJ Dellinger

Tech

Posted on Jul 8, 2016   Updated on May 26, 2021, 11:53 am CDT

Technical challenges arise on the regular in NASCAR races as teams try to optimize their vehicles to reach peak performance. But there’s never been a problem quite like the one Circle-Sport Leavine Family Racing (CSLFR) faced earlier this year, when its wealth of data was held hostage by ransomware.

It began in April, when company crew chief Dave Winston noticed some odd and unfamiliar files on his computer. He continued operating as usual, compiling data that teams typically utilize for races, including track data, information from test facilities, and personnel files.

The files sat unchecked until Winston left for a meeting. According to a spokesperson for CSLFR, a team engineer told Winston not to connect his computer to the network in the location he was heading to, as a cache of files was being uploaded to the team’s Dropbox account. When Winston arrived, he fired up his computer but remained disconnected from the network “to see what was going on.” 

Instead of the team files that he would normally see, Winston found that his files were inaccessible. No matter what he clicked on, only one file would open: an menacing image that presented him with instructions to either pay a ransom within 48 hours or lose the files forever. 

Three computers in total belonging to the team were hit by the attack—all caught by TeslaCrypt. The trojan is a particularly nasty piece of ransomware, an increasingly common a type of malicious software designed to restrict access to files or any entire system by encrypting them until a sum of money is paid. 

The TeslaCrypt virus was originally built to target gaming-related data, but turned into constantly evolving trojan that grew to be able to capture just about any type of file that it could find. The version that infected Winston’s machines could hit file types ranging from Word documents to PDFs, JPEGs, and other files.

In Winston’s case, the files placed under lock and key by the attackers included anything and everything pertaining to his racing team. Detailed set ups involving the team’s vehicles that are valued at $1.5 million, custom simulation packages worth $2 million, lists of car parts, and more were encrypted by the virus. 

According to Winston, “the data that they were threatening to take from us was priceless, we couldn’t go one day without it greatly impacting the team’s future success.” A spokesperson for CSLFR estimated it would take 1,500 hours of work to reproduce the data.

The price placed on the cache of very specific information was relatively small given its incredible value to the CSLFR team. The attackers demanded $500, to be paid in bitcoin, which Winston quickly ponied up after creating a bitcoin wallet and finding a nearby bitcoin ATM

“This was a completely foreign experience for all of us, and we had no idea what to do. What we did know was that if we didn’t get the files back, we would lose years worth of work valued at millions of dollars,” Winston said.

A spokesperson for CSLFR said the team didn’t believe it had been targeted directly; had it been, the demand may have been much higher. Once the ransom had been paid, a key was granted and the team was once again able to access its files and prepare for its upcoming races. No additional contact was made with the attackers beyond the payment, a spokesperson for Malwarebytes told the Daily Dot, and the origin of the infection is unknown.

While the major crisis was averted by CSLFR, it left a considerable number of questions about the team’s security protocols. The possibility of another attack, either with a higher demand for payment or more malicious, led to the team pursuing outside support for protecting its valuable files.

The team was pointed to Malwarebytes, an internet security company that creates a range of products designed to protect devices like computers and smartphones. The company has built a reputation on catching and removing the viruses that other software can’t. In 2014, it claimed to have fixed more than 250 million computers and removed over five billion pieces of malware.

A Malwarebytes spokesperson said after Winston and his team installed and ran Malwarebytes’s Anti-Malware program on its computers and managed to rid itself of additional infections that were hiding under the surface on its systems.

The team is blanketed by services to prevent further attacks now, and the relationship between Malwarebytes and CSLFR has expanded to the point that the team’s cars now bare the online security company’s logo during races. 

But the incident has shed light on potential troubles for other teams and organizations that may not have previously considered acquiring the type of protection that would prevent such an attack, especially a more targeted offensive.

Ransomware attacks have generally been used to hit individuals, but recent months have seen the attacks evolve and lock down files at a much larger scale. Several instances of hospitals and healthcare providers being hit have created considerable scare, while several universities have also been locked out of their extensive databases by the cryptoviruses. In total, the extortion tactics are expected to cost nearly $1 billion in losses to businesses and organizations going forward according to the FBI.

A spokesperson for NASCAR told the Daily Dot there is currently no official protocols for data protection. The organization operates differently from many leagues, where teams are more universally structured and governed. NASCAR maintains no control over the business operations of each team or how they run, and places no overarching policy upon them when it comes to information security; it allowed CSLFR to respond to the situation as it saw fit.

The problem is becoming of increasing concern to sports teams, who more and more rely on proprietary data and information to gain a competitive edge. What is housed on team computers and accessed by officials may not have much value outside the contained environment of the sport, but it would greatly impact a team’s ability to succeed to lose that data.

And that information has been handled rather recklessly by many teams. Earlier this year, a Milwaukee Bucks employee fell victim to a phishing attack that led to the surrender of the entire organization’s 2015 IRS W-2 documents. 

Similarly, a trainer for Washington’s NFL franchise had a laptop and flash drive that housed medical records for thousands of players—including 13 years worth of NFL Combine attendees—stolen from them. The information wasn’t taken digitally but from a physical break-in to the trainer’s car. According to the NFL, the files were believed to be unencrypted.

Even teams have gotten in on the hacking act as they understand the value in the data; after the former St. Louis Cardinals executive Jeff Luhnow joined the Houston Astros, a former employee of his in St. Louis was able to hack a database of player information belonging to the Astros by using one of Luhnow’s old passwords from his accounts with the Cardinals. The occurrence sparked and FBI investigation and created considerable controversy.

While unique, each of these instances is a result of failing to take security seriously. Everything from team operations to player safety could have been compromised, and organizations will have to put much more thought into not just how they gather information, but how they protect it.

Share this article
*First Published: Jul 8, 2016, 11:18 am CDT