Medusa ransomware gang claims to have hacked NASCAR

The Medusa ransomware-as-a-service (RaaS) claims to have compromised the computer systems of NASCAR, the United States' National Association for Stock Car Auto Racing, and made off with more than 1TB of data.

In a posting on its dark web leak site, Medusa has demanded a US $4 million ransom be paid for the deletion of NASCAR's data.

At the top of the page, Medusa has placed a countdown timer - whereafter it threatens to make the data stolen from NASCAR available to anybody on the internet. The countdown deadline can be extended at a cost of US $100,000 per day.

In an attempt to verify its claim of having hacked NASCAR, Medusa has published screenshots of what it claims are internal documents - including some purporting to show the names, email addresses, and phone numbers of NASCAR employees and sponsors, as well as invoices, financial reports, and more.

Furthermore, the ransomware gang has published a substantial directory illustrating NASCAR's internal file structure and the names of documents that have been exfiltrated.

Although NASCAR has not yet confirmed or denied reports that it has been hit by a ransomware attack, the details published by Medusa on its leak site appear to be credible.

Last month, the FBI and CISA published a joint cybersecurity advisory warning that the Medusa ransomware had impacted over 300 organisations, including those in critical infrastructure sectors such as medical, education, legal, insurance, technology and manufacturing.

Past victims of the Medusa ransomware have included Minneapolis Public Schools (MPS) district, which refused to pay a million-dollar ransom and saw approximately 92 GB of its stolen data released to the public. The group has also boasted about stealing Microsoft source code in the past. Other Medusa ransomware victims have included cancer centres, and British high schools.

If the claims that NASCAR is the latest victim of Medusa are accurate, it won't be the first time that the world of one of the USA's most popular sports has been impacted by cybercrime.

For instance, in 2016 the Circle Sport-Leavine Family Racing (CSLFR) found its computer systems unusable after they were hit by a variant of the TeslaCrypt ransomware.

The CSLFR team ultimately decided to pay the ransom, and received a decryption key that enabled them to unlock their impacted computers.

More recently, in March 2025, the official Twitter account of NASCAR itself was hacked in order to post a message promoting a NASCAR-themed cryptocurrency token.