How ransomware nearly stopped a NASCAR racer in its tracks
And what you’ll see on the car in the next race, now that the attack is over.
When car number 95 hits the track this Saturday night in Daytona Beach, it will be all about motor, metal and nerves of steel.
In these crucial days before the race however, it’s all about bits and bytes—the essential data the racing team uses to prepare for the 160-lap Coke Zero 400.
And that is when—and how—the attackers hit car 95’s team.
On a Tuesday in April, crew chief Dave Winston of Circle-Sport Leavine Family Racing found he could not access more than a million dollars worth of information about the car for the upcoming race.
“I tried to open a couple of files and all of a sudden every file I tried to open was encrypted and I couldn’t open anything. Needless to say, it sent fear running through my body really quick. You understand how much information we use,” he told NASCAR.com.
It was ransomware, and it was serious. Their files were frozen, with the race just days away. Even worse, if they did not pay within 48 hours, the demand notes said, they would lose research that could take 1,500 hours to recreate.
“The data that they were threatening to take from us was priceless, we couldn’t go one day without it greatly impacting the team’s future success,” Winston said in a post from cybersecurity company Malwarebytes. “What we did know was that if we didn’t get the files back, we would lose years worth of work, millions of dollars.”
The ransomware that attacked car 95’s team was called TeslaCrypt, and uses an advanced encryption scheme, according to Malwarebytes.
You can get it simply by visiting one of your favorite web sites, said Nathan Scott with Malwarebytes.
If you go to a site where attackers have placed a malvertising ad, the ad could use security holes to re-direct your computer right into a trap—a server with an exploit kit, he explained. Attackers then download the TeslaCrypt ransomware onto your computer.
“By the time the user even goes to move his mouse, TeslaCrypt has already been executed and is preparing to perform its malicious duties,” Scott told Archer News. “This has all happened in seconds and the user has not seen anything different than normal, and has not clicked on anything.”
TeslaCrypt goes deep into your computer, deletes anything that would stand in its way, and encrypts your files—even those in cloud services and other external storage areas, according to Scott.
“TeslaCrypt will also put a ransom note in every folder of the machine affected with a detailed description of the attack, how to pay to get their files back, and to let them know any other method will not work,” Scott said.
“Because of the exploit used with this ransomware—and some ransomware having it built right in—TeslaCrypt can gain access to every contact e-mail in your e-mail client like Outlook, and e-mail them from under your account with the ransomware infection,” he added. “This causes many more infections because people will open items from family, friends and co-workers most of the time.”
What can you do then?
“Once TeslaCrypt encrypts your files, that is the end of the line,” Scott said. “The infection has done what it needed to do, and honestly could remove itself at this point—which many do to evade research—and still be just as effective.”
It felt like the end of the line for Winston and his team, according to NASCAR.com.
“You don’t want to believe them,” Winston said. “Why would they give you your files back if all they are looking for is your money? But we needed to try something.”
The team discovered a bitcoin ATM at a convenience store near their shop in North Carolina, and worked on setting up a bitcoin wallet.
“We looked like the Keystone Cops walking into a little convenience store to buy these bitcoins,” Winston said.
“We drove there and scouted it out,” Jeremy Lange, team vice president, said on NASCAR.com. “The guy thought we were nuts. We were asking questions, kind of skeptical because none of us had ever heard of a bitcoin ATM before.”
They paid the $500 ransom via bitcoin, and received the key to unencrypt their files in return.
“We programmed the key in and then the files were available within hours,” Lange said.
The story doesn’t end there. Circle-Sport Leavine Family Racing eventually found Malwarebytes and teamed up with them, not only to protect their systems, but to race together.
Car 95 will carry a massive “M” on its hood at a number of tracks this season.
“Now we’re working together with them to try and make it known to people that this can happen to anybody,” Winston said on NASCAR.com. “You’re not immune to it; everybody is susceptible to it. It’s like insurance, you never think about it until you need it.”
The encrypted data included “anything and everything that the CSLFR team had to ensure that their racing vehicles perform at their highest level, including set ups worth over $1.5 million, car part lists, and custom high-profile simulation packages valued at $2 million,” according to Malwarebytes.
“Nothing, of course, was backed up because nobody ever backs up their computers until it’s too late, and I was guilty of that,” said Winston. “Now we’ve learned from that.”
Racing against ransomware
Nickelodeon, Geico, Target, Fed-Ex—all NASCAR sponsors. Now add Malwarebytes to the list of names you’ll see during races, broadcast to millions of fans in more than 100 countries.
“My hope is simply that the knowledge of ransomware and its dangers are spread,” said Scott. “Too many users today either don’t know what ransomware is, think what is said about ransomware is an exaggeration, or simply believe they aren’t affected by it.”
“Because of this and the advanced methods ransomware uses, it has become one of the biggest threats to security today,” he added.
You may see reports in the news when hospitals and businesses are locked out of their files. But Scott said it strikes people’s home computers as well.
“Half the battle of stopping ransomware is getting the right knowledge out to everyone about ransomware, what it is capable of, and that each and every one of us is affected by it,” Scott said.
“I believe NASCAR will not only do this for their fans, but they will help save numerous of their fans’ personal files and precious memories that ransomware would otherwise take.”