Loading Related Articles ...

Theft, ransom ... bitcoins? The story behind CSLFR's new sponsor

Dave Winston

Photo Credit: Nigel Kinrade Photography 

Circle Sport-Leavine Family Racing begins an association with a new sponsor this weekend at Sonoma Raceway, and how the arrangement came into being is one of the more unusual stories in NASCAR.


Malwarebytes, a California-based company that provides advanced malware prevention and remediation, will serve as an associate sponsor on Michael McDowell's No. 95 Chevrolet for Sunday's Toyota/Save Mart 350 (3 p.m. ET, FS1, PRN, SiriusXM NASCAR Radio). The company will be the team's primary sponsor next month at New Hampshire Motor Speedway as well as other select events this season.


Before this year's Sprint Cup Series race at Texas Motor Speedway in April, crew chief Dave Winston wasn't familiar with Malwarebytes. But after a virus infected his company computer, encrypting crucial files and leaving him and his team feeling helpless, he learned not only about computer security, but about an entire underground network of cyber thieves, ransomware and the digital currency known as bitcoin.


The story sounds more similar to a script for a spy thriller than a real-world occurrence, full of intrigue and secrecy, including a theft and a ransom note, the result of a virus attack that left no trail and few clues.


But this was no Hollywood movie. The attack and the ransom note were real.


The hostage in this instance was crucial information belonging to the CSLFR team -- chassis information, wind tunnel and simulation data stored on Winston's computer. With the team making preparations for the Texas race, the inability to access those files brought work to a standstill.


Winston told NASCAR.com that he was in his office working on his computer when he noticed random files beginning to show up in various folders.


"I started seeing them more and more and said 'What is this?,' " he said. "I clicked on one of them and I don't remember if it came up with an actual picture of something, but what it looked like was a screen shot … of a logo or an email or something like it. I kept working and didn't think anything of it. But as I went on through the day I saw more and more of that happening. Didn't know why. I deleted a couple of them and just kept on going."


While on his way to Richard Childress Racing (CSLFR has a technical alliance with the NASCAR Sprint Cup Series organization) later that day, Winston said his team's engineer called and said files from the crew chief's computer were downloading into Dropbox, a file-sharing site used by the team.


At the RCR shop, Winston said he checked his laptop, while staying off the RCR network, "just to see if I could see what was going on.


"I tried to open a couple of files and all of a sudden every file I tried to open was encrypted and I couldn't open anything. Needless to say, it sent fear running through my body really quick. You understand how much information we use. Nothing of course was backed up because nobody ever backs up their computers until it's too late, and I was guilty of that. Now we've learned from that."


With the Texas race looming, "I couldn't open up any of the spreadsheets that I had created, any of the wind tunnel data that I had on my computer or anything. I didn't have access to any of it," Winston said. "I finished up what I had to do at Childress' and came back to the shop. About five or six of us decided that Tuesday night was a good time to learn about ransomware."



According to Nathan Scott, Malwarebytes' technical manager for ransomware, the particular virus "always has to do a certain set of things to be classified as ransomware.


"If it gets on your machine and it doesn't destroy your backups so you can't come back from the attack, if it doesn't encrypt your files and doesn't leave you a ransom note, then it's not ransomware," he said.


This particular virus met all the qualifications, including a note stating that a key to decrypt the files could be obtained for $500 in bitcoin currency.


Members of the management team began making calls in an effort to find someone who could clean the computer and recover the files.


"Of course, no one was able to help us," Winston said.


Internet searches provided less-than-appealing suggestions, that the best course of action was to pay the ransom and hope the key to unlock the files was delivered.


"You don't want to believe them," Winston said. "Why would they give you your files back if all they are looking for is your money? But we needed to try something … so we made the decision to go ahead and pay the ransom, which opened up a whole other event.


"We had to learn about bitcoins, figure out how to buy them so we could pay it."



A long day grew longer as executives settled in around the conference room at the team's headquarters trying to understand ransomware, bitcoin currency and "trying to get Dave off the ledge because his data had been hacked and was being held for ransom," team Vice President Jeremy Lange said.


"All Dave wanted to do was pay the ransom. He didn't care if it was credit card, bitcoin, cash, he would have probably sold a child to get his information back."


Fortunately, again through searches on the internet, the team discovered that a bitcoin ATM was located barely two miles from the team's shop in Concord, North Carolina.


"We looked like the Keystone Cops walking into a little convenience store to buy these bitcoins," said Winston.

"We drove there and scouted it out," Lange added. "The guy thought we were nuts. We were asking questions, kind of skeptical because none of us had ever heard of a bitcoin ATM before."


The team's IT personnel had already downloaded an application for a bitcoin wallet, necessary for obtaining the online currency. Once they had the required amount, the bitcoin was then provided to the ransomware and the key to decrypt the files was delivered the following morning.


"We programmed the key in and then the files were available within hours," Lange said. "We tried to do it here (at our shop), then went to RCR and used their IT team; they helped us out and later that day the files were unlocked."


Winston said while working with the RCR group to prevent similar problems from occurring in the future, one company name that kept coming up was Malwarebytes.


"Now we're working together with them to try and make it known to people that this can happen to anybody," he said. "You're not immune to it; everybody is susceptible to it. It's like insurance, you never think about it until you need it."


It isn't known how Winston's computer became infected. But the damage done is a story that is all too common.


It starts when the ransomware virus gets on a computer.


"In the end, it leaves a ransom note that gives you a website to go to where you have to pay them in bitcoins, most of the time between $500 and $1,000 for an average user," Scott said.



The sponsorship package is "a mid- to six-figure deal," according to Lange and is for the remainder of the 2016 season.


Unlike traditional sponsorships, it is the first sponsor agreement for the team using a CPM (Cost Per Impression) model as a sales tool.


"We're selling assets but we're (also) selling impressions," he said. "We're selling a guaranteed amount of impressions and then we are going to use the assets -- paint schemes, social media, driver appearances, press, etc., to basically drive the value of impressions to reach a certain amount, and that's what the program is based on."


Lange said the incident led the team to share its story with Malwarebytes and "let them know … how impactful it was.


"And it truly illustrated that it can happen to anybody,” he said. "… It's really to build awareness among the NASCAR community and elsewhere by talking to people … let them know about the story. (That) was really what drove us to reach out to Malwarebytes because it's a real, live case study of sorts. Dave and CSLFR were at the mercy of the ransomware.”


For Malwarebytes, Scott said this was a "traditional story."


"But what makes it extra special is that it's with a sport that people love and are influenced by, put their hearts into and enjoy it," he said. "It's different from me trying to call people or stand on a stage and tell them about it where they think I'm exaggerating or they aren't interested. If they actually see that somebody with NASCAR is getting hit by these things, then it's going to feel a lot closer to home to them. … we need all the knowledge out there that we can get."

More stories