In April 2025, Hackread.com reported that the Medusa ransomware group had successfully breached the National Association for Stock Car Auto Racing (NASCAR), demanding a ransom of $4 million. Following this claim, NASCAR has confirmed that its systems were compromised, corroborating Hackread.com’s initial findings.
A data breach notification submitted to the Office of the Maine Attorney General states that the breach occurred on March 31, 2025, and was discovered on June 24, 2025. Notably, Hackread.com had alerted NASCAR about Medusa’s claims on April 8, 2025, but the organization did not respond to the inquiry.
While NASCAR has not disclosed the specifics of the data compromised, it confirmed that sensitive information, including names and Social Security numbers, was included in the breach. However, analysis of the leaked data conducted by Hackread.com revealed that the compromise encompassed a broader range of information.
An initial review of the leaked documentation highlighted the existence of detailed raceway maps, staff email addresses, and job titles, along with credential-related data, suggesting significant exposure of operational and logistical information.
NASCAR has since notified impacted individuals and is providing one year of credit monitoring and identity theft protection through Experian.
This incident isn’t NASCAR’s first run-in with ransomware. In July 2016, a major NASCAR team faced a significant attack when malware infiltrated the chief’s computer, encrypting all files and demanding payment in Bitcoin.
The FBI Had Warned About Medusa Months Before the NASCAR Breach
The Medusa ransomware, which has been active since 2021, has ramped up its operations significantly in recent years. Notably, in 2023, the group targeted Minneapolis Public Schools, leaking sensitive student and staff data after a failed $1 million ransom demand. Medusa’s targets have included healthcare facilities, municipal governments, and telecommunications companies, often revealing extensive internal documents when victims refuse to comply with ransom requests.
Recently, Medusa gained notoriety by leveraging stolen digital certificates to disable anti-malware tools on affected systems, allowing them to navigate networks undetected. In a security alert issued on March 13, 2025, the FBI and CISA urged organizations to enhance their cybersecurity measures, emphasizing the importance of multi-factor authentication and monitoring for unusual certificate activities.
The ransom demand issued by Medusa to NASCAR is particularly noteworthy, with Rebecca Moody, Head of Data Research at Comparitech, commenting that it exceeds the group’s average ransom requests by over ten times. This spike could be attributed to NASCAR’s prominent profile or the extensive nature of the stolen data. Although the full ramifications of the breach are still unfolding, Medusa has already established itself as a significant threat, being behind one of the year’s largest cybersecurity incidents.
From the perspective of adversary tactics, this operation draws from various phases outlined in the MITRE ATT&CK framework. Initial access may have been gained through social engineering or exploitation of vulnerabilities, followed by persistent reconnaissance to gather operational data. The exploitation of credential assets underscores threats related to privilege escalation, allowing attackers to maintain control over compromised environments.
