DragonForce Ransomware Attack on Ohio Lottery: 500,000 Personal Records Compromised

On May 9th, 2024, the Ohio Lottery was hit by a ransomware attack carried out by the cybercriminal group DragonForce. In this attack, over 500,000 personal records of Ohio Lottery participants were compromised, marking a significant breach of sensitive data. This attack once again highlights the growing threat of ransomware in targeting public sector institutions, which hold valuable data yet often lack the robust cybersecurity defences required to thwart such attacks.

The Attack: How DragonForce Breached Ohio Lottery

DragonForce, a relatively less-known but increasingly active ransomware group, leveraged sophisticated attack techniques to breach Ohio Lottery systems. Initial investigations suggest that the group likely gained access through a combination of exploiting software vulnerabilities and phishing campaigns, which are common entry points for ransomware attacks.

Once inside the system, DragonForce deployed their ransomware to encrypt critical data and exfiltrate personal records. The attack quickly disabled parts of Ohio Lottery’s IT infrastructure, forcing a shutdown of several internal systems and causing significant disruptions. With over 500,000 personal records compromised, the breach has affected a large number of lottery participants, potentially exposing names, addresses, financial details, and other personally identifiable information (PII).

DragonForce also followed the now-standard double extortion model. After encrypting the lottery’s systems, the group demanded a ransom, threatening to leak the stolen data on the dark web if payment was not made. While it remains unclear whether the Ohio Lottery paid the ransom, the attackers publicly posted samples of the stolen data, demonstrating their ability to leak further records if their demands were ignored.

Technical Details: DragonForce’s Ransomware Techniques

DragonForce is known for its use of highly targeted and sophisticated attack methods, combining social engineering with the exploitation of unpatched vulnerabilities in public-facing systems. Here’s a breakdown of some of the possible techniques used in this attack:

1. Initial Access: DragonForce likely gained initial access through phishing attacks, where employees may have unknowingly clicked malicious links or opened malware-laden attachments. These types of attacks often utilise techniques like T1566.002 – Spearphishing Link, where emails are designed to trick employees into clicking a link that executes malicious code.
2. Vulnerability Exploitation: DragonForce often exploits known vulnerabilities in outdated software and services. Vulnerabilities in web applications, especially those that handle personal records, are common targets. For example, a flaw like CVE-2023-27350, which affects web servers, could have been used to inject malware into Ohio Lottery’s systems. CVE-2023-27350 on NVD.
3. Data Exfiltration and Encryption: After gaining access, DragonForce likely used T1486 – Data Encrypted for Impact, encrypting lottery systems and rendering them unusable. This ransomware also incorporated data exfiltration techniques such as T1048.003 – Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, where sensitive data was moved out of the organisation to a remote server controlled by the attackers.
4. Lateral Movement and Privilege Escalation: DragonForce is also skilled at moving laterally through networks using techniques like T1078 – Valid Accounts, where they steal login credentials to gain higher privileges, granting them deeper access into critical systems. Once they gain administrative control, the attackers can encrypt vital databases and services.
5. Ransomware Payload: The ransomware payload used by DragonForce is modular and custom-built for large-scale disruption. Once deployed, it spreads quickly, encrypting files and blocking access to the compromised systems. The group also uses advanced evasion techniques to bypass traditional security tools, often employing T1071.001 – Application Layer Protocol for covert command-and-control communication.

Impact of the Data Breach

The breach of over 500,000 personal records has serious implications for the Ohio Lottery and its participants. The compromised data likely includes a wide range of sensitive information, including:

• Names, addresses, and contact details: Basic PII that could be used for identity theft or fraud.
• Financial data: Lottery participants may have had bank details or credit card information exposed, putting them at risk of financial scams.
• Lottery winnings and claims: If historical data about lottery claims were included, it could make high-profile winners targets for extortion or scams.

The Ohio Lottery is facing several challenges following the attack:

• Reputation and Trust: Participants are likely to lose trust in the organisation, questioning its ability to protect their personal information.
• Regulatory Action: The breach could attract scrutiny from regulators under U.S. data protection laws, and the lottery may face fines or legal consequences if it is found to have been negligent in protecting the data.
• Financial Losses: Beyond the potential ransom demand, the lottery will incur costs related to system recovery, legal fees, and improving its cybersecurity defences.

DragonForce: A Rising Threat

Though DragonForce may not be as well-known as other ransomware groups like LockBit or BlackBasta, they have quickly built a reputation for targeting public institutions and businesses with valuable data. They are increasingly involved in ransomware attacks across various sectors, often choosing high-profile targets to maximise impact and extract higher ransoms.

DragonForce’s ability to carry out large-scale attacks with precision and efficiency suggests they have access to advanced tools and exploit kits, similar to more prominent ransomware groups. Their tactics include a focus on exploiting weak points in public infrastructure and leveraging large-scale data theft to pressure their victims into paying ransoms.

Mitigation and Prevention Strategies

The attack on Ohio Lottery illustrates the importance of strong cybersecurity measures, particularly in organisations that manage sensitive personal information. Here are several steps organisations can take to mitigate the risk of similar ransomware attacks:

1. Patch Management: Keeping systems and software up to date with the latest security patches is critical. Vulnerabilities like CVE-2023-27350 are frequently exploited by ransomware groups, making timely patching essential.
2. Phishing Awareness and Training: Educating employees on recognising phishing emails and suspicious links can significantly reduce the chances of a successful attack. Many ransomware attacks begin with a simple click by an unsuspecting user.
3. Network Segmentation: Isolating sensitive systems, such as those handling personal records, from less critical services can help contain ransomware infections and limit the damage if an attack occurs.
4. Regular Backups: Implementing secure, regular backups is one of the most effective ways to recover from a ransomware attack. These backups should be stored offline to prevent ransomware from encrypting them.
5. Incident Response Plan: Having a well-documented incident response plan that includes ransomware attack protocols ensures that the organisation can respond quickly and minimise downtime. This includes isolation of infected systems, communication strategies, and steps for data recovery.
6. Data Encryption: Encrypting personal and sensitive data at rest can add an additional layer of security. Even if attackers exfiltrate data, it would be useless without the proper decryption keys.

Conclusion

The DragonForce ransomware attack on the Ohio Lottery underscores the critical threat that ransomware poses to public institutions and the broader community. With over 500,000 personal records compromised, this breach highlights the devastating consequences of lax cybersecurity in organisations handling sensitive data. As ransomware groups like DragonForce continue to evolve and target public-facing services, proactive cybersecurity measures have never been more essential.

While the Ohio Lottery is working to restore its systems and mitigate the damage, the attack serves as a wake-up call for other public institutions to strengthen their defences and prepare for the ever-growing ransomware threat.

Further Reading

• Understanding Ransomware in Public Services – Guidance from CISA on mitigating ransomware in public institutions
• DragonForce: Profile and Attack Techniques – A detailed look at DragonForce’s operations
• CVE-2023-27350: Critical Vulnerability – National Vulnerability Database entry for CVE-2023-27350
• Best Practices for Ransomware Defence – NCSC guide on protecting organisations against ransomware attacks