A ransomware group has claimed that it has successfully attacked the Methodist Church of Southern Africa (MCSA) and is demanding a ransom payment, TechCentral has learnt.
The church fell victim to the apparent attack earlier this month, with some details – though not the entire leak – published on the dark web on 2 October 2025.
The MCSA is one of Southern Africa’s largest and oldest Christian denominations, with roughly three million members across South Africa, Lesotho, Namibia, Botswana, Eswatini and Mozambique.
Rooted in the Wesleyan Methodist tradition brought to the Cape by British soldiers in the early 1800s, it grew through missionary work led by figures such as Barnabas Shaw. Over time, multiple Methodist strands merged, and in 1931 the present MCSA was formally constituted as a single, “one and undivided” church.
According to a posting online, the church was hit by the Beast ransomware. Beast first emerged in 2022 as an “enhanced iteration of the earlier ‘Monster’ ransomware’”, which operates under a ransomware-as-a-service model.
It offers affiliates “rich customisation options to create tailored binaries targeting Windows, Linux and VMware ESXi systems”.
Ransomware-as-a-service, or RaaS, is a criminal business model where skilled developers build and maintain ransomware tools and then sell, lease or affiliate them to less technical operators in exchange for a cut of the profits.
Audit documents
The developers provide the malware, dashboards, payment and (sometimes) key-management services, while “affiliates” handle the actual infections, phishing or compromises – payments are typically demanded in cryptocurrency and victims’ data may be encrypted, exfiltrated for double extortion, or both.
RaaS lowers the technical barrier to entry and scales attacks, fuelling a profit-driven underground economy that targets organisations, hospitals, municipalities and individuals, causing disruption, financial loss and reputational damage. Paying ransoms is risky and is no guarantee of data recovery.
Read: Hackers tighten grip as ransomware epidemic hits South Africa hard
It appears the attackers haven’t yet published the full trove of documents allegedly stolen, but a sample of materials posted online – and seen by TechCentral – suggest they include MCSA financial and audit information, including for the church’s “Cape of Good Hope District”, as well as various expenditure statements.
No details about individual church members are included in the samples shared by the attackers.
A spokesman for the MCSA could not immediately be reached via mobile phone or e-mail (e-mail messages bounced), while the church’s website is currently offline (possibly related to the ransomware attack). – © 2025 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.
