Play attacks Virgin Islands Lottery

Incident Date:

February 6, 2024

World map



Play attacks Virgin Islands Lottery


Virgin Islands Lottery




St Thomas, USA


First Reported

February 6, 2024

Ransomware Attack on the Virgin Islands Lottery

A ransomware attack on the Virgin Islands Lottery’s information technology infrastructure led to multiple failures within its system, preventing the agency’s ability to generate tickets and conduct sales and forcing it to cancel several drawings until the matter was resolved.

Introduction to Play Ransomware

Play (aka PlayCrypt) is a RaaS that emerged in the summer of 2022 and has been accelerating the pace of attacks in the last half of 2023 to become one of the most prolific threat actors in the RaaS space. Play is noted for having similarities to the Hive and Nokoyawa ransomware strains.

Method of Attack

Play often compromises unpatched Fortinet SSL VPN vulnerabilities to gain access. The FBI issued a joint advisory in partnership with CISA asserting the Play gang had compromised over 300 organizations since emerging in June of 2022. Play has been observed leveraging Process Hacker, GMER, IOBit, and PowerTool to bypass security solutions as well as PowerShell or command script to disable Windows Defender.

High-Profile Attacks

Play made headlines with high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels, as well as exfiltrating data from Fedpol and the Federal Office for Customs and Border Security (FOCBS).

Technical Capabilities

Play is an evolving RaaS platform known to leverage PowerTool to disable antivirus and other security monitoring solutions and SystemBC RAT for persistence. Play is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT executables and legitimate tools Plink and AnyDesk to maintain persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques. Play also abuses AdFind for command-line queries to collect information from a target’s Active Directory.

Play first introduced the intermittent encryption technique for improved evasion capabilities. Play also developed two custom data exfiltration tools - the Grixba information stealer and the open-source VSS management tool AlphaVSS - that improve efficiency in exfiltrating sensitive information on the targeted network, as well as the open-source VSS management tool AlphaVSS. Play has been observed leveraging exploits including ProxyNotShell, OWASSRF, and a Microsoft Exchange Server RCE.

Geographical Focus and Tactics

Play ransomware gang has mainly focused attacks in Latin America, especially Brazil, but have attacked outside of that region. Play was observed to be running a worldwide campaign targeting managed service providers (MSPs) in August in an attempt to leverage their remote monitoring and management (RMM) tools to infiltrate customer networks. Play employs tactics similar to both the Hive and Nokoyawa ransomware gangs and engages in double extortion by first exfiltrating victim data with the threat to post it on their “leaks” website.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.