Cyber Incident Victim: Temple Har Shalom Synagogue
Date:
Jan 2020
Location:
United States of America
Summary
A synagogue in New Jersey experienced a ransomware attack by the Sodinokibi group, encrypting servers, backups, and some computers while leaving a ransom note demanding approximately $500,000. The organization confirmed no ransom would be paid and began efforts to rebuild affected systems, requesting congregation members' assistance to recreate lost data. Although personal information such as names, addresses, and email addresses may have been accessed due to the attackers' potential data theft, financial details were believed segregated and uncompromised. The incident prompted warnings about phishing risks leveraging exposed data, with the possibility of public data leaks by the ransomware operators remaining unresolved. The synagogue characterized the attack as a violation but found no evidence of targeting based on religious affiliation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 9, 2020, Temple Har Shalom Synagogue in Warren, New Jersey, discovered a ransomware attack after staff experienced difficulties connecting to the internet. An investigation revealed that threat actors associated with the Sodinokibi ransomware (also known as REvil) had breached the network, encrypting all server-based files and electronic data. The attackers left a ransom note demanding payment, later confirmed by sources to be approximately $500,000 for a decryption key. The encryption extended to mechanical backups stored on the network, rendering recovery through conventional backup methods impossible. Multiple computers across the network were fully encrypted, though some devices remained operational. The synagogue promptly notified congregants via email, disclosing the operational disruption and data compromise. While the attack disrupted administrative functions, Temple Har Shalom explicitly stated no evidence suggested targeting due to its status as a Jewish institution, characterizing the incident as a violation of their community rather than a religiously motivated act.
The synagogue’s response included assessing the scope of encrypted systems and initiating efforts to reconstruct lost data by contacting congregants for necessary information, confirming their refusal to pay the ransom. They identified potential data exposure limited to congregant names, addresses, and email addresses due to network segmentation, asserting that financial records and other confidential membership details remained segregated and likely inaccessible. Despite this assessment, Temple Har Shalom warned members to remain vigilant against phishing attempts leveraging potentially exposed personal information. The Sodinokibi group’s known tactic of exfiltrating data prior to encryption introduced additional risks of data leakage, though the synagogue did not confirm whether data theft occurred or if attackers threatened publication. No decryption or data recovery progress was disclosed, and the incident underscored operational vulnerabilities, particularly the compromise of both primary and backup systems. The attack highlighted broader concerns regarding ransomware targeting community organizations, with impacts extending to potential reputational harm and member privacy risks despite mitigated financial exposure.