Cyber Incident Victim: Relentless Church
Date:
Apr 2023
Location:
United States of America
Summary
Relentless Church, a large South Carolina-based institution, fell victim to a ransomware attack claimed by the LockBit group. The attackers breached the church's servers and claimed to have stolen a variety of sensitive employee data, including financial documents and passports. The church detected the external attack and immediately engaged a security firm to investigate the breach and secure its systems. Ministry operations and services were reported to continue as normal throughout the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 29, 2023, Relentless Church, an evangelical megachurch based in Greenville, South Carolina, fell victim to a ransomware attack. The church, described as a multi-cultural, non-denominational place of worship with over 15,000 members and an online viewership exceeding 100,000 during streamed services, was targeted by a cybercrime group. The notorious LockBit ransomware gang claimed responsibility for the attack, publicly adding Relentless Church to its list of victims on its data leak site on Saturday, April 29. The group claimed to have successfully stolen a quantity of the church's internal data.
The church's internal information technology team was the first to detect the external attack on its servers. Upon discovery of the suspicious activity, the organization immediately initiated its response protocol. The church leadership, led by Senior Pastor John Gray, promptly hired an external top-tier cybersecurity firm to assist in the investigation and response. The primary objectives of this engagement were to conduct a comprehensive forensic investigation to determine the origin point of the breach, assess the full scope of the intrusion, and implement measures to secure the church's data and protect congregant information.
According to the claims made by the LockBit group on its leak site, the stolen data included a range of sensitive employee information. The hackers specifically alleged they had accessed and exfiltrated documents such as employee passports and financial records. The exact volume of data taken and the number of individuals affected were not publicly disclosed by the church as the investigation was ongoing. Pastor Gray stated that he was unable to comment further on what specific information may have been compromised while the forensic review was still in progress.
Despite the disruptive attack, the church leadership was emphatic that its operations would continue unimpeded. Pastor Gray publicly affirmed that all church services and ministry programs would carry on as usual, stating the incident would not stop or hinder their activities. The church's servers remained operational throughout the incident response process, indicating that the attack may have been primarily a data theft extortion event rather than one that caused widespread encryption and system downtime. The church expressed strong confidence that their data was secured and their congregation's information was protected as a result of the immediate actions taken.
The public claims by LockBit brought the incident into the wider cybersecurity landscape, where it was noted as part of a broader trend that weekend. The attack on Relentless Church was immediately followed by a separate claim from another cybercrime group, Karakurt, which stated it had attacked a Catholic publishing company. This prompted analysis from security experts who noted that while attacks on religious institutions are not entirely unprecedented, they are comparatively unusual. Financial motivation was cited as a likely primary driver, with experts suggesting that typical ransomware groups focus on corporations and government agencies but may make exceptions for larger entities like megachurches which potentially have greater resources.
The response from Relentless Church included not only technical measures but also public statements directed at the attackers. Pastor Gray addressed the individuals responsible, offering a theological rebuke and advising them to leave religious institutions alone and instead make an honest living. The church also followed broader guidance recommended for breach victims, which includes reporting the incident to law enforcement agencies. The attack on Relentless Church occurred amidst a string of other ransomware incidents affecting South Carolina entities, including a separate attack on Spartanburg County; however, no concrete link between these incidents was established.
The incident highlighted the evolving targeting patterns of sophisticated cybercrime groups. LockBit, in particular, had recently demonstrated a complex public relations strategy, having just banned an affiliate for attacking a non-profit preschool and offering a free decryptor, while simultaneously engaging in the attack on the church. This action demonstrated that the group's publicly stated rules against targeting certain sectors were often applied arbitrarily or ignored for financial gain. The attack on Relentless Church served as a concrete example of how no sector, including religious organizations, is immune from the threat of cyber extortion. The full financial impact, including whether any ransom was demanded or paid, was not disclosed by the church. The completion of the investigation by the third-party security firm would determine the final assessment of data compromise and any necessary subsequent actions, such as citizen notification.