In November 2023, the Church of Sweden fell victim to a ransomware attack by the BlackCat gang, severely disrupting its operations. The attack crippled critical systems for two months, impairing the church’s ability to conduct essential services such as funerals, fundraising during the Christmas season, and serving its 5.4 million members. When the church refused to pay the ransom, the stolen data was sold to the LockBit gang, which subsequently published it publicly. The prolonged recovery period exacerbated financial and reputational damage, highlighting the devastating impact of ransomware on non-profit and religious institutions. The incident underscored vulnerabilities in unmanaged devices and the growing sophistication of ransomware groups targeting high-value organizations for both financial gain and destructive outcomes.
Source: https://therecord.media/ransomware-healthcare-microsoft-last-year
TPRM report: https://www.rankiteo.com/company/church-of-sweden-youth
"id": "chu831090225",
"linkid": "church-of-sweden-youth",
"type": "Ransomware",
"date": "11/2023",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'industry': 'healthcare',
'location': 'United States',
'name': '389 U.S.-based healthcare institutions',
'type': 'healthcare'},
{'customers_affected': '5.4 million',
'industry': 'non-profit/religious',
'location': 'Sweden',
'name': 'Church of Sweden',
'size': '5.4 million members',
'type': 'religious organization'}],
'attack_vector': ['social engineering (email phishing, SMS phishing, voice '
'phishing)',
'identity compromise',
'exploiting vulnerabilities in public-facing applications',
'unpatched operating systems',
'unmanaged IoT/devices in network'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_publicly_disclosed': '2024-10-01',
'description': "Microsoft's annual Digital Defense Report (2024) highlights a "
'significant rise in ransomware attacks on healthcare '
'institutions, with 389 U.S.-based organizations successfully '
'hit in the last fiscal year. The attacks caused network '
'closures, delayed medical operations, and rescheduled '
'appointments. Nation-states (Russia, North Korea, Iran) are '
'increasingly using ransomware for financial gain, marking a '
'shift from prior destructive motives. Human-operated '
'ransomware encounters surged 2.75x among Microsoft customers, '
'though encryption success rates declined. Initial access '
'vectors include social engineering (phishing), identity '
'compromise, and unpatched vulnerabilities. Notable groups '
'include Akira (17% of attacks), LockBit (15%), Play, '
'BlackCat, and Basta. Law enforcement disrupted LockBit and '
"BlackCat infrastructure, while Microsoft's 'Crystal Ball' "
'platform enhances global threat intelligence sharing.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'downtime': True,
'operational_impact': ['network closures',
'critical medical operations delayed',
'appointments rescheduled',
'fundraising disruptions (e.g., Church of '
'Sweden during Christmas)'],
'systems_affected': True},
'initial_access_broker': {'data_sold_on_dark_web': ['Church of Sweden data '
'sold to LockBit'],
'entry_point': ['unmanaged devices',
'social engineering (phishing)',
'vulnerabilities in public-facing '
'apps'],
'high_value_targets': ['healthcare institutions',
'religious organizations '
'(e.g., Church of Sweden)']},
'investigation_status': 'Ongoing (collaborative via Crystal Ball platform)',
'lessons_learned': ['Unmanaged devices (IoT, employee tools) increase risk.',
'Social engineering (phishing) remains the top initial '
'access vector.',
'Nation-states are increasingly blending financial and '
'destructive motives in ransomware.',
'Collaboration (e.g., Crystal Ball platform) improves '
'threat intelligence sharing.',
'Law enforcement takedowns (e.g., LockBit, BlackCat) '
'disrupt ransomware infrastructure.'],
'motivation': ['financial gain',
'destructive operations (historically)',
'cyber espionage'],
'post_incident_analysis': {'corrective_actions': ['Law enforcement takedowns '
'(LockBit, BlackCat '
'infrastructure)',
'Development of '
'collaborative platforms '
'(Crystal Ball)',
'Public awareness campaigns '
'on phishing risks'],
'root_causes': ['Unmanaged devices in corporate '
'networks',
'Successful phishing attacks',
'Unpatched vulnerabilities',
'Nation-state and cybercriminal '
'coordination']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': True,
'ransom_paid': ['Church of Sweden: refused to pay'],
'ransomware_strain': ['Akira',
'LockBit',
'Play',
'BlackCat (ALPHV)',
'Basta']},
'recommendations': ['Patch public-facing applications and operating systems '
'promptly.',
'Implement stricter controls on unmanaged devices in '
'networks.',
'Enhance phishing resistance (email, SMS, voice).',
'Participate in collaborative threat intelligence '
'platforms (e.g., Crystal Ball).',
'Prepare for prolonged recovery timelines (e.g., Church '
'of Sweden: 2 months).'],
'references': [{'date_accessed': '2024-10-01',
'source': 'Microsoft Annual Digital Defense Report (2024)'},
{'date_accessed': '2024-10-01',
'source': 'Microsoft Blog Post (Tom Burt, VP of Customer '
'Security & Trust)'}],
'response': {'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['Church of Sweden: 2 months to recover'],
'third_party_assistance': ['law enforcement',
"Microsoft's Crystal Ball platform"]},
'threat_actor': [{'attribution': 'cybercriminal',
'name': 'Akira',
'share_of_attacks': '17%',
'type': 'ransomware gang'},
{'attribution': 'cybercriminal',
'name': 'LockBit',
'share_of_attacks': '15%',
'type': 'ransomware gang'},
{'attribution': 'cybercriminal',
'name': 'Play',
'type': 'ransomware gang'},
{'attribution': 'cybercriminal',
'name': 'BlackCat (ALPHV)',
'type': 'ransomware gang (now-defunct)'},
{'attribution': 'cybercriminal',
'name': 'Basta',
'type': 'ransomware gang'},
{'motivation': ['financial gain', 'destructive operations'],
'name': 'Russia',
'type': 'nation-state'},
{'motivation': ['financial gain'],
'name': 'North Korea',
'type': 'nation-state'},
{'motivation': ['financial gain'],
'name': 'Iran',
'type': 'nation-state'}],
'title': 'Ransomware Attacks on U.S. Healthcare Institutions and Global '
'Trends (July 2023 - June 2024)',
'type': ['ransomware', 'cyber espionage', 'financially motivated attack'],
'vulnerability_exploited': ['unpatched systems',
'public-facing application vulnerabilities',
'unmanaged devices']}