Cyber Incident Victim: Redemption Church
Date:
Apr 2023
Location:
United States of America
Summary
Relentless Church, a large multi-cultural congregation, fell victim to a ransomware attack claimed by the LockBit cybercrime group, which allegedly stole sensitive employee data including passports and financial documents. The church's IT team detected the breach and engaged a security firm to investigate while maintaining normal operations, asserting congregant information remained protected. This incident reflects a broader targeting of religious institutions by ransomware actors, with LockBit previously facing criticism for attacking nonprofits but continuing such operations despite occasional public relations gestures like offering free decryptors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 29, 2023, Relentless Church—a multicultural, non-denominational megachurch based in Greenville, South Carolina, with over 15,000 members and 100,000 online service viewers—suffered a ransomware attack claimed by the LockBit cybercrime group. The church’s IT team detected unauthorized external access to its servers, prompting immediate engagement of a third-party cybersecurity firm to investigate the breach’s origin and secure congregant and operational data. LockBit added Relentless Church to its victim list, asserting theft of employee passports, financial documents, and other sensitive information. Senior Pastor John Gray publicly confirmed the incident but stated services would continue uninterrupted, emphasizing confidence in the implemented security measures. The attackers, identified through a ransomware operation listed in the U.S. government’s #STOPRANSOMWARE initiative, allegedly exfiltrated financial records among other data. Pastor Gray characterized the incident as an attack on the church’s religious mission, urging the perpetrators to cease targeting faith-based organizations.
The breach’s full scope remained under investigation, with church leadership declining to specify compromised data categories pending forensic analysis. No operational disruptions occurred, as systems were secured without halting ministries or online streaming. The incident reflected a broader targeting shift among cybercriminal groups, with LockBit and Karakurt—another extortion group—simultaneously attacking religious entities like Our Sunday Visitor, a Catholic publisher. LockBit’s involvement aligned with its history of opportunistic targeting despite occasional publicized bans on attacking nonprofits, as demonstrated in its prior Keystone SMILES preschool attack. Relentless Church’s prominence as a large-scale institution likely increased its attractiveness to threat actors seeking financially viable targets, per cybersecurity analysts’ observations about threat group motivations. Law enforcement was notified, though no ransom payment details or decryption key usage were disclosed.