As a NASCAR crew chief, Dave Winston is constantly assessing risks. What are the problem spots on this track? Can the driver go another lap without a pit stop? Will adjusting tire pressure improve performance or cost us the race? With more than 15 years of experience working in and around NASCAR racing, Winston felt prepared to handle just about anything that might pose a risk to his team. But on April 5, when Winston’s work computer became infected with ransomware, he was completely unprepared for what was ahead.
For Winston, crew chief for the Circle Sports Leavine Family Racing team, the week began as a typical race week always does. The team traveled back to home base on Sunday night after a weekend of racing and spent the next three days prepping the car, team and driver for the upcoming race. But something out of the norm happened that stopped the team in its tracks.
“On Tuesday I had to disconnect my computer from our network and take it with me to our alliance partner before going to Texas where we’d be racing that weekend,” Winston told iDigitalTimes. “While I was driving, one of our race engineers called and told me not to connect my computer to the network because it was doing something strange to our shared files.”
According to Winston, the team frequently used Dropbox to house shared information team members needed to access regularly. This included critical stats and data used by the team before and during a race. But on Tuesday, when team members tried to access files in the shared account, they discovered the documents stored there were all being encrypted by Winston’s computer. As soon as he arrived at the alliance partner’s location, he swiftly began to investigate what was going on with his computer.
“I tried opening up a document but instead of it opening I got this screen that looked like Internet Explorer and it said that all my files had been encrypted and I needed to pay a ransom to get them back,” said Winston.
“I didn’t really believe it, at first. In fact, I didn’t even read the whole message. I just shut it down and tried to open another document.”
After several attempts at opening various files in Dropbox and on his computer, Winston began to realize that something had gone terribly wrong.
“At that point, panic set in,” Winston said. “That computer had personnel information on it, data acquisition files, simulation files, wind tunnel data, track data. Basically, everything we do lives on that computer.”
The CSLFR team is a small one said Winston, and an information security technician was not a part of it, nor did the team have a comprehensive plan in place for keeping their data secure. “We have a person in charge of IT, but we didn’t have anything across all computers to protect them,” he said.
In addition, Winston said the team had no back up plan for their files outside of the shared Dropbox account.
With more than three million dollars worth of encrypted data that included car setup, parts lists and custom high-profile simulation packages that would cost an estimated 1,500 man-hours alone to recreate, the team decided its only alternative was to try to pay the ransom and hope for the best.
“It’s extremely important that we compete each week,” said Winston, “and here it was Tuesday night and we were basically shut down.”
The ransomware gave Winston’s team 48 hours to pay before the price would increase. “By how much we didn’t know,” he said.
Over the next several hours, Winston and his team had a lot to learn.
“We had to find out about bitcoin because that was how they wanted payment,” Winston said, “so it took some time to figure out what it was, how to get it and how to get it to them.”
The team submitted its bitcoin payment around 11 p.m. that evening, and by Wednesday morning they received the decryption keys needed to unlock the encrypted files. Fortunately for Winston, his computer was the only one infected by the ransomware and the monetary cost to the team was just $500 or 1.3 bitcoin.
“Had it been a higher ransom, I don’t think I would have been able to say ‘let’s do this’,” Winston said, “and then we would have really been behind the 8-ball competitively. In this business and this sport you rely on your computers for everything your team does and if we would have gone to Texas without that information it would have been really detrimental to this team.”
Ransomware infections have become a growing threat to computer users of all kinds, increasing nearly 44 percent in the last six months alone. While it’s unclear exactly how Winston’s computer became infected with ransomware, one thing is certain: he doesn’t ever want it to happen again.
As a team, CSFLR has installed Malwarebytes tools on all its computers to help detect and defend against various types of ransomware. They’ve also assigned each computer a portable hard drive, which they are using to regularly back up data. But CSFLR is taking the message a step further. Partnering with Malwarebytes, the team is working on promoting ransomware awareness amongst NASCAR teams and fans. The team’s car will soon sport a Malwarebytes’ logo as the company prepares to become a full-time sponsor for the team starting with the NASCAR race in Loudon, N.H.
“As an engineer, my goal is to always figure out the fix, not just the bandaid,” Winston said. “ We hope this partnership with Malwarebytes will help provide information for more people outside of our team before they run into the kinds of problems we did.”
To find out more about CSFLR’s story and partnership with Malwarebytes, see the official announcement, here.