The story behind the Ohio Lottery Ransomware Attack

Christian Holmes

Updated on:

Ohio Flag Flying in Background

While most were enjoying the holiday break, employees at the Ohio Lottery were scrambling to save its data from what some experts would call a “serious” cyberattack. 

On the morning of Dec. 24, 2023, the Ohio Lottery released a statement saying that it had a “cybersecurity incident” that led to the shutdown of “some of its internal applications.”

How exactly would this impact its users?

“Mobile cashing and prize cashing above $599 at Super Retailers are currently not available,” the Ohio Lottery said in its statement.

“Additionally, winning numbers for KENO, Lucky One, and EZPLAY Progressive Jackpots are not available on our website or mobile app but can be checked at any Ohio Lottery Retailer.”

Luckily, customers could still use the website and the Lottery’s app to check winning numbers after a short period of downtime, so not all hope was lost. 

Here’s the kicker for some, though: The Lottery told its customers that prizes over $600 must be mailed to the Ohio Lottery Central Office or claimed using the digital claim form.

That was an issue, especially for the big winners of the holiday season. Those folks wanted their money right away. They didn’t want to wait for it to go through the mail or a digital claim form.

Unfortunately, that was the least of the Ohio Lottery’s worries.

Although the Lottery’s initial investigation couldn’t pin down a specific bad actor, the perpetrators of the cyberattack were quick to claim their siege not just to the world but personally to the Ohio Lottery.

According to BleepingComputer’s Sergiu Gatlan, the attackers were a relatively unknown, new-age ransomware-using cyber outlaw gang dubbed DragonForce.

DragonForce, alluding to its ransomware hack of the Ohio Lottery, wrote on its dark web landing page that it had “more than 3,000,000+ entries, first name, last name, mail, addresses, winning amounts! SSN + DOB records of employees and players. [..] The total weight of the leak when unpacked is about 600+ gigabytes.”

In a communication with the Ohio Lottery, DragonForce gave its victim roughly three days to work out a deal to get their data back safely. Otherwise, the gang was going to leak all the data. 

Lottery Geeks can’t confirm if a deal was reached between the Ohio Lottery and DragonForce. At the time of this writing, there have been no reports of information being leaked on the dark web. One might speculate the safest outcome would’ve been just to pay the ransom, as that’s what companies like Caesars Entertainment had done in the past to avoid further disruptions in its services.

Lottery Geeks’ readers might be wondering: What’s the whole point of a ransomware attack in the first place? Why do these gangs take such significant risks to hack an entity like the Ohio Lottery? 

The simple answer is money talks. Although many cybersecurity experts warn that big companies shouldn’t pay the ransom, the truth is most companies decide it’s better to pay by the pound as opposed to losing way more money by having its operations shut down and risking a legal fallout if sensitive information that it had control of got leaked to unsavory entities on the dark web. 

In 2017, the WannaCry ransomware global epidemic exposed how dangerous and profitable these attacks could be. The WannaCry ransomware virus spread globally, infecting over 230,000 computer systems using Mircosoft Windows. 

The user would get this message on their system when met with an attack:

Although most users wouldn’t pay the ransom, some with files worth recovering would.

According to computer science professor Dr. Mike Pound in a 2017 interview with Computerphile, that’s where the attackers would make their money. 

Knowing that these ransomware attacks could yield high monetary gains, hackers started to grow their arsenal when it came to their hacking abilities. They tried to figure out new ways to exploit vulnerabilities at the places they were trying to hack before security measures were implemented to block the hackers from encrypting sensitive data and holding it ransom.

Speaking with Lottery Geeks, cybersecurity expert and ethical hacker Falgun Rathod explained hackers that use ransomware utilize more than just computer viruses to hack their targets. 

When asked what vulnerabilities hackers look for specifically, Rathod said, “There are many, but most [hackers] are looking for network vulnerabilities as they can spread their ransomware through networks and encrypt data quickly.”

How do these hackers get access to the network?

Rathod said, “Usually, social engineering is one of the common ways to get into these companies’ networks. A common social engineering method is phishing or vishing.”

These hackers make the phishing email seem legit, like what someone working at a big company might get daily. With these people at the company being so busy, they might unknowingly click the link and hand over their login details. Just like that, the hackers have a way inside the company’s network.

If the phishing method fails, the hackers may opt for something like vishing, which Rathod said is “calling someone in the office by impersonating someone they know.” The hacker could pretend to have forgotten their password or something along those lines. With some sweet talking, the hackers could find a way to get the details they need and enter the network through that route.

In fact, when Bet MGM was hacked in September of 2023, the hackers Scattered Spider used several social engineering tactics to invade the company’s network. 

How can entities like the Ohio Lottery prevent such attacks from happening again? Rathod suggests preventing cyber attacks by utilizing “Defense in Depth methods, placing security controls at every layer of the process, the technology, and the people.”

Many cybersecurity experts are still determining whether big companies will actually heed their suggestions. It’s obvious to some opinionated security-minded personalities like SomeOrdinaryGamers that companies like Bet MGM, Caesars’s Entertainment, and the Ohio Lottery lack Fort Knox-like cybersecurity measures. 

Those very companies had almost always been unwilling to invest in their cybersecurity. The idea was that no one would try to hack such a big company. The legal outcome for those hackers would be atrocious. One thing the executives at these companies forgot was that if greed fuels the fire of the hackers, fear of the legal consequences won’t slow them down. 

With the influx of attacks, it’s expected that many companies are looking to invest more in its cybersecurity measures. There’s too much at stake for companies not to make a conservative effort to protect its data. That said, it’s the wild west out in the interweb. A lot of hackers have found ways to escape detection. If one side fixes its vulnerabilities, the other will try to find another way through the other’s security measures. It’s a constant cat-and-mouse game that most likely will never stop.

That is why every expert Lottery Geeks has spoken to for this article has said if the company has something worth taking, the accountants for these companies should allocate a large part of its budget to cybersecurity measures. Otherwise, much worse situations than the Ohio Lottery’s recent predicament can occur. Not only will a severe attack lead to lots of sensitive information potentially being leaked, but the attack will ruin a customer’s trust in the company. Such scenarios have far-reaching negative consequences for these companies’ revenue streams.