Cyber Incident Victim: Ron Carpenter Ministries
Date:
Apr 2023
Location:
United States of America
Summary
Relentless Church, a large South Carolina-based religious institution, suffered a ransomware attack claimed by the LockBit cybercrime group, which allegedly stole sensitive employee data including passports and financial documents. The church's IT team detected the breach and engaged a security firm to investigate and secure congregant information, while leadership emphasized continued operations and confidence in data protection measures. Cybersecurity experts noted the rarity of such attacks on religious organizations, suggesting financial motives rather than ethical constraints drive most threat actors, though LockBit previously faced criticism for targeting nonprofits. The incident reflects broader trends of cybercriminals expanding targets beyond traditional corporate or government entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 29, 2023, Relentless Church—a South Carolina-based evangelical megachurch with over 15,000 members and 100,000+ online viewers—detected an external ransomware attack on its servers. The LockBit ransomware group claimed responsibility for the breach the following day, listing the church on its leak site and alleging theft of employee data including passports, financial documents, and other sensitive information. Senior Pastor John Gray confirmed the incident, stating the church’s IT team identified the intrusion and immediately engaged a top cybersecurity firm to investigate the breach’s origin and secure congregant data. Despite the attack, church leadership asserted services and programs would continue uninterrupted, with Gray declaring confidence in their data protection measures. WYFF News 4 identified a ransomware operation—listed in the U.S. government’s #STOPRANSOMWARE initiative—publicly boasting about compromising the church’s financial records and other internal data. Law enforcement was notified, though no explicit ransom demand was disclosed publicly. Gray directly addressed the attackers, condemning their targeting of religious institutions and urging them to pursue legitimate livelihoods instead.
The incident highlighted emerging trends in cybercriminal activity, with experts noting LockBit’s prior history of attacking non-traditional targets despite occasional publicized bans on targeting sectors like healthcare. Brett Callow of Emsisoft observed that LockBit previously demanded $10,000 from a low-income country’s hospital and later provided free decryption tools when payment proved unlikely—a pattern suggesting PR-driven damage control. Allan Liska of Recorded Future noted most ransomware groups avoid churches due to limited financial returns unless targeting large entities like megachurches, though historical exceptions included Conti’s 2021 attack on a Texas church and Pysa’s five church breaches that same year. Relentless Church’s prominence as a multicultural hub with substantial digital outreach potentially increased its attractiveness as a target. While the full scope of compromised data remained under investigation, the church maintained operational continuity throughout the response. The attack occurred alongside Karakurt’s contemporaneous breach of Catholic publisher Our Sunday Visitor, though no connection between the two incidents was established. Spartanburg County’s nearby ransomware attack around the same timeframe also lacked confirmed ties to the church breach.