Virgin Islands Lottery resumes drawings after ransomware attack; director urges IT investment and staffing
May 30, 2025 | 2025 Legislature, Virgin Islands
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Raymond J. Williams, executive director of the Virgin Islands Lottery, told the Committee on Government Operations on June 1 that the lottery's systems were taken offline by a ransomware attack in mid‑March and that staff and contracted IT consultants spent weeks rebuilding systems from backups to resume drawings and payments.
Williams said the March 17 incident was identified when staff arrived at district offices and found servers and software encrypted; the commission's consultant SmartPoint Inc. confirmed the ransomware and a ransom note demanding payment. Williams said the attackers encrypted phones, servers and software in both districts and the incident was reported to the Bureau of Information Technology (BIT) and the Cybersecurity and Infrastructure Security Agency (CISA). "There was a ransom note found that basically said, if you want your encrypted information back, they would return same for a fee of a million dollars," Williams said.
The recovery and current status
- Rebuilding from backups: Williams told the committee the lottery could not restore operational systems from affected servers and therefore used offline backups and manual records to reconstruct sales, payment and draw data going back to February 2024. Staff and consultants sanitized equipment, loaded new security measures, and reentered sales data from hard-copy receipts for prior draws. The lottery resumed public draws on April 28; Williams described the recovery effort as "Herculean," with staff working nights and weekends.
- No banking compromise: Williams said the lottery's bank accounts and financial platforms were never accessible to the attackers; mandatory transfers and payroll continued without interruption once financial data was reestablished. The lottery completed mandatory transfers in April (Williams said transfers included mandated payments to the Government Retirement System and other statutory recipients).
- Cybersecurity hardening: The lottery said it has purchased new servers, contracted an additional cybersecurity monitoring firm, introduced multifactor authentication, and implemented multiple backup routines and daily verification alerts. Williams also said the lottery will migrate additional systems to BIT to improve resilience and central management.
- Staffing and vacancies: Williams and Deputy Executive Director Charlene Proctor reported several vacancies, including an IT director, marketing director and chief enforcement officer. They said recruitment has been difficult because some market salaries for skilled IT and cybersecurity staff are higher than current budgeted pay.
Why it matters: The territory's lottery funds statutory transfers (education, pharmaceutical aid, veterans and GERS contributions) and supports community sponsorships; a prolonged outage reduces sales and complicates payouts. Williams told senators he would provide a full listing of the lottery's investments and cash instruments to the committee.
Sales and public confidence
Williams said sales rebounded quickly after the resumed drawings and that the territory's drawing method uses an industry standard random‑number generator rather than a manual ball draw; he and senators discussed whether additional public visibility (live broadcasts or public demonstrations) would help restore consumer confidence. Williams said systems used across the U.S. lottery industry employ similar randomization and that safeguards include quarterly independent audits and multi‑person controls for draws.
Committee requests and next steps
Committee members asked for details on backups, investments and vendor contracts. Williams agreed to provide a listing of the lottery's money-market accounts, CDs and other investments and said the agency would continue to work with BIT and CISA on investigative and remediation steps. He emphasized that ongoing investment in technology and personnel will be required to reduce future risk.
Ending
"Any individual, entity, or organization is susceptible to a cyber attack," Williams told the committee. He described a plan of action to rebuild, fortify and ensure resiliency, and urged the Legislature to support budget changes that would make salaries and IT capacity competitive for recruiting needed talent.
Williams said the March 17 incident was identified when staff arrived at district offices and found servers and software encrypted; the commission's consultant SmartPoint Inc. confirmed the ransomware and a ransom note demanding payment. Williams said the attackers encrypted phones, servers and software in both districts and the incident was reported to the Bureau of Information Technology (BIT) and the Cybersecurity and Infrastructure Security Agency (CISA). "There was a ransom note found that basically said, if you want your encrypted information back, they would return same for a fee of a million dollars," Williams said.
The recovery and current status
- Rebuilding from backups: Williams told the committee the lottery could not restore operational systems from affected servers and therefore used offline backups and manual records to reconstruct sales, payment and draw data going back to February 2024. Staff and consultants sanitized equipment, loaded new security measures, and reentered sales data from hard-copy receipts for prior draws. The lottery resumed public draws on April 28; Williams described the recovery effort as "Herculean," with staff working nights and weekends.
- No banking compromise: Williams said the lottery's bank accounts and financial platforms were never accessible to the attackers; mandatory transfers and payroll continued without interruption once financial data was reestablished. The lottery completed mandatory transfers in April (Williams said transfers included mandated payments to the Government Retirement System and other statutory recipients).
- Cybersecurity hardening: The lottery said it has purchased new servers, contracted an additional cybersecurity monitoring firm, introduced multifactor authentication, and implemented multiple backup routines and daily verification alerts. Williams also said the lottery will migrate additional systems to BIT to improve resilience and central management.
- Staffing and vacancies: Williams and Deputy Executive Director Charlene Proctor reported several vacancies, including an IT director, marketing director and chief enforcement officer. They said recruitment has been difficult because some market salaries for skilled IT and cybersecurity staff are higher than current budgeted pay.
Why it matters: The territory's lottery funds statutory transfers (education, pharmaceutical aid, veterans and GERS contributions) and supports community sponsorships; a prolonged outage reduces sales and complicates payouts. Williams told senators he would provide a full listing of the lottery's investments and cash instruments to the committee.
Sales and public confidence
Williams said sales rebounded quickly after the resumed drawings and that the territory's drawing method uses an industry standard random‑number generator rather than a manual ball draw; he and senators discussed whether additional public visibility (live broadcasts or public demonstrations) would help restore consumer confidence. Williams said systems used across the U.S. lottery industry employ similar randomization and that safeguards include quarterly independent audits and multi‑person controls for draws.
Committee requests and next steps
Committee members asked for details on backups, investments and vendor contracts. Williams agreed to provide a listing of the lottery's money-market accounts, CDs and other investments and said the agency would continue to work with BIT and CISA on investigative and remediation steps. He emphasized that ongoing investment in technology and personnel will be required to reduce future risk.
Ending
"Any individual, entity, or organization is susceptible to a cyber attack," Williams told the committee. He described a plan of action to rebuild, fortify and ensure resiliency, and urged the Legislature to support budget changes that would make salaries and IT capacity competitive for recruiting needed talent.
View full meeting
This article is based on a recent meeting—watch the full video and explore the complete transcript for deeper insights into the discussion.
View full meeting