Ransomware gang takes credit for Christmas attack on global Lutheran organization

Details about a Christmas-season ransomware attack on a global Christian organization became clearer this week as a cybercrime gang took credit for what appears to be a related theft of data.

The World Council of Churches (WCC), an inter-church organization, said on December 28 that it had been victimized by ransomware, but did not offer details about the attackers. On Jan. 5, however, the Rhysida ransomware gang claimed to have attacked the Lutheran World Federation, one of the WCC’s members.

A spokesperson for the federation, which represents 77 million Lutherans globally, confirmed to Recorded Future News that it was dealing with a cyberattack and said the incident was related to the attack on the WCC.

“The World Council of Churches (WCC) was the target of a cyber-attack over the Christmas holidays. Some LWF systems have also been affected,” the spokesperson said. “The situation continues to be dealt with by experts.”

A representative for the WCC, a fellowship of multiple Christian sects representing half a billion people worldwide, directed Recorded Future News to the December 28 statement confirming that the organization had been hit with ransomware.

Neither the Lutheran group nor the WCC specified that Rhysida was responsible for the incidents. The gang is responsible for dozens of attacks on governments around the world as well as major companies like Sony.

Holiday season incident

The WCC, which has an administrative center in Geneva, Switzerland, said it was contacted by hackers on December 26, demanding a ransom for information accessed.

“All systems went down on 26 December. The WCC IT Team is working hard to restore all the systems, including the WCC website, which have been protected over the years by increasingly robust security,” they explained.

WCC general secretary Rev. Prof. Dr Jerry Pillay added that it “is terrible to experience such things as this, but public roles can lead to attacks like these.”

The organization contacted the Swiss police and other local law enforcement agencies to address the issue.

“We will continue our work. The WCC will never give in to such threats. These people must be investigated and stopped,” Pillay said.

“In pursuit of technological progress, human beings cannot misuse these for personal gains.”

The Rhysida gang said it is ransoming the information it stole from the Lutheran group for 6 bitcoin, or about $280,000. They put a seven-day timer for when the information will be released publicly.

Rhysida — named after centipedes — first emerged in late May 2023 and has already claimed major attacks on government institutions in Portugal, the Dominican Republic, Kuwait, Chile and the Caribbean island of Martinique.

The gang drew headlines in the U.S. for its devastating attack on Prospect Medical Holdings, which operates 16 hospitals in several states and was forced to redirect ambulances as a result of the incident.

In November, the top cybersecurity agencies in the U.S. released an advisory on the gang’s operations warning that it has “predominantly been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023.”

Cybercrime organizations have increasingly targeted religious organizations in recent months. Multiple churches and religious organizations were attacked last year, including South Carolina-based Relentless Church and Our Sunday Visitor, a Catholic publishing company that produces newsletters, religious books, pamphlets and more.

Recorded Future ransomware expert Allan Liska previously said that ransomware gangs attacked the Salvation Army in 2021 and one group listed 5 churches on their extortion site.

The Vatican and the Catholic Diocese of Hong Kong also were attacked in 2020.