One of the largest providers of social services globally, the Christian organization Salvation Army, has been allegedly hit by a ransomware attack.
A ransomware gang has claimed a major player in the charity world – the Salvation Army.
“Data will be released soon,” reads a post on the dark web by the Chaos ransomware group.
The move follows a well-worn playbook: threaten to leak sensitive data to pressure the victim into paying. But global cybersecurity agencies, including CISA, NCSC, the FBI, and HHS, continue to advise against giving in to ransom demands.
According to Cybernews’ dark web tracker Ransomlooker, the post was first spotted on March 28th.
So far, Chaos has not disclosed what kind of data it has stolen or how large the trove is. It remains unclear whether the group has made contact with the Salvation Army or attempted to negotiate terms.
The Salvation Army is one of the world’s biggest charity organizations. Founded in 1865, the Christian nonprofit made revenue of $4.78 billion in 2024, making it the sixth-largest charity in the US.
With operations in 134 countries, the Salvation Army delivers aid to the elderly, homeless, disabled, and disaster-stricken while also running rehab programs. It is also affiliated with the United Nations (UN).
Cybernews has reached out to the Salvation Army, but a response has yet to be received.
What is Chaos ransomware?
Chaos ransomware, distributed through a ransomware-as-a-service (RaaS) model, is a malware family known for its unusually destructive capabilities and evolving threat profile.
First identified in June 2021, it has since undergone significant transformation, shifting from pure data destruction to more traditional forms of file encryption used in ransom-based extortion.
Early variants of Chaos permanently corrupted files rather than encrypting them, leaving victims with little recourse. More recent versions have adopted conventional encryption methods, making the malware more consistent with typical ransomware behavior.
However, Chaos remains distinct in its dual use, as both ransomware and a wiper, making it particularly appealing for politically motivated or destructive cyber campaigns. Since Russia’s war in Ukraine kicked off, Chaos-based malware has been used to wipe Ukrainian systems clean.
Chaos hits both Windows and Linux targets and has been spotted inside hospitals, factories, and energy firms. Its low-cost RaaS model and destructive flexibility make it the perfect weapon for chaos by design.
Malware's roots trace back to threat actors likely tied to Russia.
Christian community targeted by cybercriminals
Some ransomware gangs claim to align with ethical standards when choosing their targets. However, not all ransomware gangs draw the line at hospitals or charities. In recent months, the global Christian community has become a recurring target.
In March 2025, the Rhysida ransomware group targeted Berkeley Research Group in California. BRG offers corporate finance and economic consulting, including to Catholic dioceses in bankruptcy proceedings.
The attack exposed highly sensitive documents related to Catholic clergy abuse survivors. The breach also included data associated with ten Catholic bankruptcy cases.
Your email address will not be published. Required fields are markedmarked