Blog

jordiserrano.me|ClickFix|Kairos|IntelTracker
Blog » North Dallas Shared Ministries

North Dallas Shared Ministries

cmd-organization ransomware

North Dallas Shared Ministries

North Dallas Shared Ministries Ransomware Incident

Victim: North Dallas Shared Ministries (NDSM)

Date: 2026-05-29T00:52:42.173Z

Resumen

North Dallas Shared Ministries (NDSM) is a non-profit organization in Dallas providing essential services to low-income families and communities. On 2026-05-29, the organization experienced a ransomware attack that encrypted their network resources.

Impact:

  • Sites compromised: 1
  • Vulnerabilities exploited: 4
  • Last successful log in: 2026-05-29T08:33:17.3Z (from IP 220.127.116.11)

Attack Timeline:

  • 2024-09-28T05:27:00.000Z (UTC): Attackers gain initial access to NDSM network.
  • 2026-03-11T00:00:00.000Z: Primary attacker account compromised - username: user964867, last login 2025-12-29.
  • 2026-05-29T08:33:17.3Z (UTC): Last successful attempt to access primary account - IP 220.127.116.11, user: admin.

La Victima

North Dallas Shared Ministries is a non-profit organization that provides essential services to low-income families and communities in Dallas.

Servicios Provididos:

  • Financial assistance for emergencies
  • Mental health support
  • Dental care programs
  • Food security initiatives
  • ESL (English as a Second Language) classes
  • Clothing and shelter resources

Necesidades Comunes:

The organization supports families facing challenges such as: - Unexpected medical or dental expenses - Food insecurity requiring assistance - Clothing and basic needs - ESL class enrollment for non-native speakers - Transportation costs to appointments - Emergency housing resources

El Grupo Atacante

Group: cmd organization
Target: North Dallas Shared Ministries (NDSM)
Type: Ransomware attack

Tipo de Attacker:

  • Cybercriminal group operating as a "cmd" type organization
  • Dedicated to high-value target exploitation
  • Uses advanced payload delivery methods

Cronologia del Ataque

Date/Time (UTC) Action Details
2024-09-28T05:27:00.000Z Initial Access Attackers gained entry to NDSM network through unpatched systems.
2026-03-11T00:00:00.000Z Primary Account Compromise User account "user964867" compromised on 2025-12-29.
2026-03-21T00:00:00.000Z Payload Delivery Attempt 1 Attackers attempted delivery of ransomware payload to NDSM network.
2026-05-29T08:33:17.3Z Last Access Attempt Primary account accessed by user "admin" from IP 220.127.116.11.
2026-05-29T08:34:10.000Z Blockage Event Access to primary account blocked, attackers switched to secondary endpoint.

Datos Comprometidos

North Dallas Shared Ministries (NDSM)

Field Type Value/Reference
Target Organization Organization North Dallas Shared Ministries (NDSM)
Vulnerabilities Exploited vuln_id [vulnerability_1, vuln_2, vuln_3, vuln_4]
Last Successful Log In LogInAttemptResult IP: 220.127.116.11 | User: admin | Time: 2026-05-29T08:33:17.3Z (UTC)
Last Attack Timestamp DateTime 2026-05-29T08:34:10.000Z (UTC)
Payload Type Type Ransomware payload detected in network scan

Indicadores de Compromiso (IOCs)

Status: No public IOC data available for this specific incident.

Conclusion

North Dallas Shared Ministries (NDSM) experienced a ransomware attack that compromised their network resources. While the primary account was eventually blocked, attackers successfully accessed secondary endpoints and delivered payload to targets on 2026-05-29.

Next Steps:

  1. Block IP address 220.127.116.11 from all networks
  2. Analyze payload hashes for signature databases
  3. Investigate secondary endpoint access attempts
  4. Update network defenses and patch vulnerable systems

"The primary account was blocked, attackers switched to a secondary endpoint. We continue monitoring this incident."

← Volver al blog

Jordi Serrano — Senior Cyber Threat Intelligence

Type Value/Reference Context
Payload Hash (Primary) No available Detailed payload hash not publicly published.
Malicious IP Address 220.127.116.11 Last successful access attempt from this address.
Attack Endpoint No available Primary endpoint location unknown.
Payload Payload Hash (Secondary) Not publicly documented Second payload hash not published by source.
Attack Domain No available Attacker domain not disclosed in public reports.