Rhysida Hacks First Baptist Church of Hammond, Leaks Personal Data

By Jesse William McGraw

July 29, 2025

Rhysida Hacks First Baptist Church of Hammond - Leaks Personal Data

Just today, the RaaS (ransomware-as-a-service) group known as Rhysida claimed another victim: the megachurch First Baptist Church of Hammond, Indiana, which is reported to rank among the largest in the U.S., with an estimated attendance of approximately 20,000.

According to Rhysida’s Tor leak site, the exfiltrated data is up for auction, starting at the price of 5 BTC, which at the time of this writing, is approximately USD 584,288.39. This is a known tactic employed by Rhysida, designed to intensify pressure on victims to hurry and pay before the auction’s deadline.

The site reads:

“With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!”

Rhysida Hacks First Baptist Church of Hammond — Screenshot taken from Rhysida’s Tor site.

Based on the group’s public messaging and the data previewed, this appears to be a high-impact cyberattack.

Rhysida Ransomware

Rhysida appeared on the radar in May 2023, although some researchers believe the group’s activity may have started as early as January. Its leak site and operations began attracting attention around that time. While analysts often debate the exact timeline down to weeks or months, available evidence suggests the group likely began campaigning or testing its infrastructure in early Spring 2023.

Like most ransomware groups, Rhysida tends to gain access by searching for vulnerable entry points such as VPNs and Remote Desktop Protocol (RDP). While this process often requires time and effort, many groups instead scour dark web markets for initial access brokers selling compromised credentials obtained through infostealer logs.

Personal Identifying Information Exposed

Rhysida shared screenshots on their site, showcasing examples of what they stole from the megachurch. The following are some examples:

Photocopied passport identification
Social security cards
Attendees' rosters showing photos of children, with full names, phone numbers, addresses, birthdates, and parents’ names.
Church financial records and banking statements.

While the list of child attendees is outdated, the records were created when they were still minors, as evidenced by their birthdates and profile photos. Whether Rhysida exfiltrated any current children's personal information has not yet been determined.

Ethical Considerations: When Nothing is Off-Limits

Cybercrime groups often operate without a moral compass or ethical principles. When money is involved, nothing is off-limits. Only a few ransomware groups, such as Lynx Ransomware, draw a line between right and wrong, despite operating as criminal enterprises. Some refrain from targeting hospitals, schools, nonprofit organizations, and other institutions that the public relies on for essential services, while most have no guilt on their conscience for doing it.

Most ransomware groups operate without bias, meaning everything becomes a potential target if there’s a chance of financial gain.

Megachurches typically have sizable youth programs, including nurseries, which raises additional concerns. The impact on victims increases exponentially in such cases. It becomes a double-edged sword, because if our suspicions are true, it all boils down to this not-so-simple equation: either pay a half-million-dollar ransom to protect records containing sensitive information about vulnerable individuals, or refuse and risk the data being leaked on the dark web.