The Medusa ransomware-as-a-service (RaaS) claims to have compromised the pc programs of NASCAR, the US’ Nationwide Affiliation for Inventory Automotive Auto Racing, and made off with greater than 1TB of knowledge.
In a posting on its darkish net leak web site, Medusa has demanded a US $4 million ransom be paid for the deletion of NASCAR’s knowledge.
On the prime of the web page, Medusa has positioned a countdown timer – whereafter it threatens to make the info stolen from NASCAR out there to anyone on the web. The countdown deadline will be prolonged at a value of US $100,000 per day.
In an try and confirm its declare of getting hacked NASCAR, Medusa has printed screenshots of what it claims are inner paperwork – together with some purporting to indicate the names, e-mail addresses, and telephone numbers of NASCAR workers and sponsors, in addition to invoices, monetary studies, and extra.
Moreover, the ransomware gang has printed a considerable listing illustrating NASCAR’s inner file construction and the names of paperwork which were exfiltrated.
Though NASCAR has not but confirmed or denied studies that it has been hit by a ransomware assault, the small print printed by Medusa on its leak web site seem like credible.
Final month, the FBI and CISA printed a joint cybersecurity advisory warning that the Medusa ransomware had impacted over 300 organisations, together with these in vital infrastructure sectors equivalent to medical, schooling, authorized, insurance coverage, expertise and manufacturing.
Previous victims of the Medusa ransomware have included Minneapolis Public Faculties (MPS) district, which refused to pay a million-dollar ransom and noticed roughly 92 GB of its stolen knowledge launched to the general public. The group has additionally boasted about stealing Microsoft supply code previously. Different Medusa ransomware victims have included most cancers centres, and British excessive faculties.
If the claims that NASCAR is the newest sufferer of Medusa are correct, it will not be the primary time that the world of one of many USA’s hottest sports activities has been impacted by cybercrime.
As an example, in 2016 the Circle Sport-Leavine Household Racing (CSLFR) discovered its laptop programs unusable after they had been hit by a variant of the TeslaCrypt ransomware.
The CSLFR crew finally determined to pay the ransom, and acquired a decryption key that enabled them to unlock their impacted computer systems.
Extra lately, in March 2025, the official Twitter account of NASCAR itself was hacked with a purpose to submit a message selling a NASCAR-themed cryptocurrency token.
