Ohio Lottery hit by cyberattack claimed by DragonForce ransomware

The Ohio Lottery was forced to shut down some key systems after a cyberattack affected an undisclosed number of internal applications on Christmas Eve.

While the incident is now under investigation, and the lottery is working to restore all impacted services, its gaming system is still fully operational.

"Mobile cashing and prize cashing above $599 at Super Retailers are currently not available," the lottery said in a press release published Wednesday.

"Additionally, winning numbers for KENO, Lucky One, and EZPLAY Progressive Jackpots are not available on our website or mobile app but can be checked at any Ohio Lottery Retailer."

Customers can also check the Ohio Lottery website and mobile app for winning numbers while the incident is being investigated and systems are being brought back online, according to a separate advisory.

They can also cash prizes up to $599 at any Ohio Lottery Retailer location, but those over $600 must be mailed to the Ohio Lottery Central Office or claimed using the digital claim form.

The Ohio Lottery mobile cashing app and its Super Retailer locations are not cashing any prizes above $599.

"On December 24, 2023, the Ohio Lottery experienced a cybersecurity incident impacting some of its internal applications and immediately began work to mitigate the issue," it added.

"The state internal investigation is ongoing. We apologize for the inconvenience and are working as quickly as possible to restore all services. "

Attack claimed by new ransomware gang

While the state lottery has not linked the incident to any known threat actors or hacking groups, the attack has already been claimed by the newly surfaced DragonForce ransomware gang.

The attackers claim to have encrypted devices and stolen data during the attack, including Social Security Numbers and dates of birth.

​A new entry added to the DragonForce data leak site suggests that the allegedly stolen files contain information belonging to Ohio Lottery customers and employees.

"More than 3,000,000+ entries, first name, last name, mail, addresses, winning amounts! SSN + DOB records of employees and players. [..] The total weight of the leak when unpacked is about 600+ gigabytes," the gang says.

Not much is known about the DragonForce ransomware gang, and while they are a new operation, their tactics, negotiation style, and data leak site indicate an experienced extortion group.

With law enforcement disrupting ransomware operations, it would not be surprising if this was a rebrand of a previous gang.