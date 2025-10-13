A ransomware gang called Beast has claimed responsibility for an attack on the Methodist Church of South Africa and has threatened to leak 150GB of data stolen from the organisation online.

As proof of the breach, Beast posted extracts from documents on its dark web leak site, which appear to be from the church’s 2015–2019 annual financial statements.

Some of the documents include the private data of church officials and auditors, such as phone numbers, emails, and physical addresses.

According to threat intelligence company SOCRadar, Beast Ransomware is the evolved form of an earlier strain known as Monster.

Monster was first detected in March 2022 during an investigation by the BlackBerry Incident Response team.

Initially developed in Delphi, Monster was promoted a few months later on the Russian Anonymous Marketplace alongside a partnership program for affiliates.

SOCRadar reports that security researchers believe the operators are likely based in Eastern Europe or Russia.

“In 2024, researchers observed the group actively marketing Beast’s partnership programme and new capabilities in Russian, English, and Chinese,” it stated.

“Beast offered affiliates a customizable Ransomware-as-a-Service platform that could target Windows, Linux, and VMware ESXi systems.”

While Beast inherited much of Monster’s code, SOCRadar said it introduced stronger encryption, multi-threaded processing, service termination, shadow-copy deletion, and other features designed to improve efficiency and reach.

SOCRadar said that according to analysts, despite its technical sophistication, Beast has not yet achieved the widespread impact of leading ransomware families.

In March 2025, a variant sharing almost identical code with Beast was discovered called Boramae. It was larger through static linking with OpenSSL 1.1.0.

“Boramae profiled as a Windows-focused ransomware that appends a ‘.boramae’ extension to encrypted files, changes desktop wallpapers, and delivers ransom notes urging quick payment under threat of data leaks,” SOCRadar said.

“This suggests the Beast operation continues to evolve through more complex and specialised variants.” Boromae also grew Beast from roughly 150 to over 2,500 functions.

Cyberattacks on the rise in South Africa

The Methodist Church is one of many South African entities targeted by cyberattacks this year. Attackers have targeted companies and government agencies across various sectors in the past ten months.

In August, the Zondo Commission website was attacked and replaced with links pointing to Indonesian online gambling and e-commerce sites.

That same month, a cyber extortion group called INC Ransom claimed responsibility for breaching Altron Netstar’s corporate network and leaking 505GB of data onto the dark web.

In May, ransomware gang Everest Group claimed responsibility for an attack on Mediclinic, stating that they exfiltrated 4GB of data and the personal data of 1,000 employees.

That same week, Adidas South Africa notified customers that it suffered a data breach with people’s names, email addresses, phone numbers, genders, and birth dates potentially exposed.

In the telecommunications sector, MTN and Cell C reported data breaches earlier this year, with Cell C confirming that it was the victim of a ransomware attack by a group called RansomHouse.

While Cell C was up-front and provided details about the attack it suffered, MTN was more tight-lipped, only saying that some people in certain markets were affected.

Astral Foods, South Africa’s largest chicken producer, Eastplats, a prominent mining company, and Pam Golding, the largest real estate company in the country, all disclosed data breaches this year.

In addition, in July, Microsoft SharePoint became the target of a zero-day vulnerability, which caused headaches for organisations worldwide.

SharePoint is a widely used web-based platform developed by Microsoft for collaboration and document management.

The security flaw allowed attackers to access SharePoint servers and steal keys that let them impersonate users or services. This could enable deep access into compromised networks to steal confidential data.

Various South African organisations and government departments were exposed due to the vulnerability, including National Treasury, which reported finding malware installed on a SharePoint server.

South Africa’s Department of Planning, Monitoring, and Evaluation was also targeted in the attacks on Microsoft’s SharePoint customers.

A U.S. security researcher also discovered that the zero-day exposed Stellenbosch University’s website and potentially its broader network.

The researcher contacted MyBroadband about the vulnerability when he struggled to reach the necessary people in Stellenbosch’s IT department.

Feedback from the university suggested that they had received several such communications, but these were all from people hoping to be hired to fix the issue, which the university said it was already working on.