INTERNET

Hacked NASCAR Team Pays Out $500 In Bitcoins

After falling victim to a ransomware attack, a desperate NASCAR team gave in to the demands of hackers

INTERNET
Getty Images
Jun 29, 2016 at 12:07 PM ET

One problem with the sports world’s increasing reliance on advanced statistics and data analysis is that said information is immensely valuable, and as such they’re finding themselves the target of hackers. The team at Circle Sport-Leavine Family Racing found out the hard way just how vulnerable they are when their computers were hit with a ransomware virus, an increasingly common form of malware that infects computers, locks users out of the system or encrypts the files, and demands money in exchange for allowing them back in.

In this instance, the CS-LFR team got off on the cheap. Ransomware attacks are on the rise, costing businesses approximately $1 billion per year, according to the FBI, but these thieves only asked them to to pony up a grand total of… wait for it… $500 worth of bitcoins.

As first reported by nascar.com back in April, CS-LFR’s crew chief Dave Winston noticed that his computer was getting oddly buggy, with weird, unknown files popping up all over the screen.

“I started seeing them more and more and said ‘What is this?’ ” Winston said. “I clicked on one of them and I don’t remember if it came up with an actual picture of something, but what it looked like was a screen shot … of a logo or an email or something like it. I kept working and didn’t think anything of it. But as I went on through the day I saw more and more of that happening. Didn’t know why. I deleted a couple of them and just kept on going.”

Left unattended, the problem only got worse, as files containing crucial data about the car’s chassis, wind tunnel tests, and other simulations were shunted off to their Dropbox account. Later that day, while working offsite, Winston discovered that every single file on the team’s database had been encrypted, shutting Winston and the CS-LFR team out entirely. Since they’d failed to backup their files, they were screwed.

Given that they were deep into preparations for an upcoming Sprint Cup Series race, team officials huddled up in a state of near-panic, furiously Googling to see if they could solve the problem themselves and, “trying to get Dave off the ledge,” CS-LFR vice resident Jeremy Lange said.

When they received a ransom note demanding $500 dollars in bitcoins in exchange for a key that would decrypt the files, they buckled. “All Dave wanted to do was pay the ransom,” Lange said. “He didn’t care if it was credit card, bitcoin, cash, he would have probably sold a child to get his information back.”

Of course, that meant figuring out what the heck a bitcoin was and how to possibly transfer it to their e-kidnappers. Another frantic bit of Googling located an app for a bitcoin wallet and a bitcoin ATM located mere miles from CS-LFR’s headquarters. They then made a befuddled, wary trip to withdraw the online currency, since “none of us had ever heard of a bitcoin ATM before,” Lange said.

If that sounds like a small price to pay, it should. Given the fear and terror expressed by CS-LFR officials, it’s clear they would have shelled out far more than three figures if the hackers had simply asked, but imagine the dollar amounts that a pro sports franchises and/or league would be willing to pay if they were put at risk? The hackers are definitely aware.

In 2013, a now-former scouting director for the St. Louis Cardinals managed to get into the Houston Astros’ proprietary database, Ground Control, using an old, unchanged password to gain access to the Cardinals’ draft rankings, scouting reports, and potential trades. The Cardinals have yet to be punished by Major League Baseball for their transgressions, and the scouting director, Christopher Correa, hasn’t been sentenced to date, but a far more sophisticated effort could have wreaked serious havoc upon the entirety of their baseball operations.

Similarly, a low-level Milwaukee Bucks employee gave hackers the whole organization’s 2015 IRS W-2 documents after falling for a spear-phishing expedition. While no Bucks player or front office member has yet to report a case of identity theft, the potential for someone to file a false IRS return still looms, no matter what security precautions the team has taken since then.

And if mischievous or malicious hackers wanted to say, disrupt an entire Esports competition, demanding fistfuls of cash from ESPN or any of the sport’s newfound sponsors, that’s certainly on the table.

If there’s one bright spot to be found in this story, CF-LSR managed to pick up a new sponsor for their troubles, inking “a mid- to six-figure deal” with the company that helped bulk up their security systems in the wake of the hack, Malwarebytes.