A ransomware group has claimed responsibility for an alleged cyberattack on the Salvation Army, threatening to release stolen data from the international Christian nonprofit.
Ransomware group Chaos threatens data leak from Salvation Army
The Chaos ransomware group has posted on the dark web claiming it has breached the Salvation Army, one of the world’s largest charitable organizations. The post, first detected by Cybernews via the dark web tracker Ransomlooker on March 28, warns:
“Data will be released soon.”
As of now, Chaos has not provided details on what type of data was allegedly stolen or how extensive the breach might be. It is also unclear whether the attackers have contacted the Salvation Army or issued ransom demands directly.
Global nonprofit with vast operations potentially compromised
Founded in 1865, the Salvation Army operates in 134 countries and provides services including disaster relief, housing assistance, rehabilitation, and aid for vulnerable populations. In 2024, the charity reported revenues of $4.78 billion, making it the sixth-largest nonprofit in the U.S. It also maintains ties to the United Nations.
No public statement has yet been issued by the Salvation Army regarding the breach claim.
Chaos ransomware: destructive, flexible, and widely deployed
Chaos ransomware, a malware family offered through a ransomware-as-a-service (RaaS) model, is known for its dual-use design. It functions both as file-encrypting ransomware and as a wiper.
Initially discovered in 2021, early versions of Chaos permanently destroyed files rather than encrypting them. More recent variants use standard encryption methods, aligning with typical extortion techniques. However, the malware still retains wiper-like behavior, making it suitable for destructive campaigns.
Chaos has been used in attacks targeting hospitals, energy firms, and factories. It is capable of infecting both Windows and Linux systems. Its origin is believed to trace back to Russian-linked threat actors. The malware has also been used during Russia’s war in Ukraine for system-wiping purposes.
Christian-affiliated organizations increasingly in the crosshairs
The attack on the Salvation Army follows a concerning trend where ransomware groups are increasingly targeting faith-based organizations.
In March 2025, the Rhysida ransomware group compromised Berkeley Research Group (BRG), which provides consulting services to Catholic dioceses involved in bankruptcy. That breach exposed documents connected to abuse survivors and multiple Catholic Church legal proceedings.
Though some ransomware operators claim to avoid humanitarian targets, the recent breaches suggest that these boundaries are often ignored.
Cybersecurity agencies including CISA, NCSC, FBI, and HHS continue to advise against paying ransoms, citing the risks of encouraging repeat attacks and criminal financing.
