Mount Royal University Confirms Data Theft in Ransomware Attack Claimed by CMD Organization

CMD Ransomware Hits Mount Royal University, Claims 10TB of Data and Demands $1.9M

HIGH
July 9, 2026
6m read
RansomwareData BreachCyberattack

Related Entities

Threat Actors

CMD Organization

Organizations

Comparitech

Other

Mount Royal University (MRU)

Full Report

Executive Summary

Mount Royal University (MRU) in Alberta, Canada, has officially confirmed it suffered a significant ransomware attack that led to the theft of personal information belonging to its students and employees. The incident, first detected on June 17, 2026, involved the deletion of critical file storage systems and caused major disruptions to campus IT services. The CMD Organization ransomware group has taken responsibility, posting the university on its dark web leak site and claiming to have exfiltrated over 10 terabytes of data. The group is demanding a $1.9 million ransom to prevent the public release of the stolen information. This attack highlights the continued targeting of the education sector by ransomware gangs who see them as data-rich and often under-resourced targets.

Threat Overview

The attack on Mount Royal University (MRU) was both destructive and disruptive. On June 17, the university's IT staff discovered that two major file storage systems had been deleted by the attackers: one containing sensitive employee and student data, and another used for general departmental data. This act of destruction, a tactic sometimes used to increase pressure, corresponds to T1485 - Data Destruction.

Shortly after, the CMD Organization, a relatively new ransomware group, claimed the attack. They use a double-extortion model, first stealing data (T1567) and then encrypting or deleting systems (T1486/T1485). The group posted MRU on its Tor-based leak site, claiming to possess 10TB of data and demanding a $1.9 million ransom. They also published screenshots of some of the allegedly stolen data as proof of the breach. According to security researchers, the CMD group has claimed 32 attacks to date, though only a few have been publicly confirmed, suggesting they may be an emerging threat.

Technical Analysis

While MRU has not disclosed the initial access vector, ransomware attacks on universities often begin with phishing campaigns (T1566 - Phishing) that harvest user credentials or through the exploitation of unpatched vulnerabilities in public-facing systems like VPNs or web applications (T1190 - Exploit Public-Facing Application).

Once inside the network, the attackers would have performed reconnaissance to map the network and identify high-value targets, such as the file storage systems. The deletion of these systems indicates the attackers likely gained administrative privileges (T1078 - Valid Accounts). The sheer volume of data claimed to be stolen (10TB) suggests that the attackers had prolonged and unfettered access to the network, allowing them to exfiltrate large amounts of data over time before executing their final payload. The use of a dark web leak site for extortion is a standard tactic for modern ransomware groups, falling under T1657 - Financial Benefit.

Impact Assessment

The impact on MRU is multi-faceted. Operationally, the deletion of file systems and disruption of IT services would have severely hampered university functions, affecting everything from teaching and administration to research. Financially, the university now faces significant costs for incident response, system restoration, and potential legal fees, in addition to the $1.9 million ransom demand. The theft of student and employee personal information creates a significant privacy breach, exposing individuals to risks of identity theft and fraud. This leads to a loss of trust from students, faculty, and the public, causing long-term reputational damage that can be difficult to repair.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

To detect similar ransomware attacks, security teams can hunt for the following:

Type
Log Source
Value
File Share Audit Logs
Description
Monitor for an abnormally high volume of file read operations from a single account, which can indicate mass data staging for exfiltration.
Type
Command Line Pattern
Value
net use \\<server>\<share>
Description
Attackers often use the net use command to map network drives for data access and encryption. Monitor for unusual or widespread use of this command.
Type
Network Traffic Pattern
Value
Sustained high-volume egress traffic
Description
A 10TB exfiltration would generate a significant and sustained outbound traffic anomaly from the university's network over days or weeks.
Type
Process Name
Value
rclone.exe, megasync.exe
Description
Attackers often use legitimate data synchronization tools to exfiltrate data. The presence of these tools on servers where they are not expected is a major red flag.

Detection & Response

  • Data Exfiltration Monitoring: Implement tools and policies to detect and block large-scale data exfiltration. Use D3-NTA: Network Traffic Analysis to baseline normal outbound traffic and alert on sustained, high-volume transfers to unknown destinations.
  • File Integrity Monitoring (FIM): Deploy FIM on critical file servers. While it might not stop the initial encryption, it can provide an early warning of unauthorized mass file modification or deletion, allowing for a faster response.
  • Behavioral Detections: Use an EDR solution to monitor for chains of behavior indicative of ransomware, such as a user process enumerating network shares, deleting shadow copies, and then rapidly reading and writing to a large number of files.
  • Dark Web Monitoring: Proactively monitor ransomware leak sites and cybercrime forums for mentions of your organization's name or domain. This can provide an early warning that you have been compromised, even before the final payload is delivered.

Mitigation

  • Immutable Backups: Maintain offline, immutable backups of all critical data. This is the most effective defense against both data encryption and data deletion attacks. The ability to restore from a clean backup removes the attackers' primary leverage.
  • Least Privilege Principle: Enforce the principle of least privilege. User accounts should not have administrative rights, and administrative accounts should not be used for daily tasks. This makes it harder for attackers to gain the privileges needed to delete entire file systems.
  • Network Segmentation: Segment the network to prevent attackers from moving laterally from a compromised workstation to critical servers like file storage systems. This can contain the blast radius of an attack.
  • Incident Response Plan: Have a well-defined and tested incident response plan that specifically covers ransomware scenarios. This should include steps for isolating systems, engaging legal counsel and cyber insurance, and communicating with stakeholders.

Timeline of Events

1
June 17, 2026
Mount Royal University discovers the ransomware attack and data deletion.
2
July 9, 2026
MRU publicly confirms data was stolen in the attack, which is claimed by the CMD Organization.
3
July 9, 2026
This article was published

MITRE ATT&CK Mitigations

The most critical mitigation. Maintain offline, immutable, and regularly tested backups to ensure data can be restored after a destructive attack.

Segmenting the network can prevent an attacker from moving from a compromised workstation to critical servers, containing the blast radius.

Mapped D3FEND Techniques:

Strictly control and monitor the use of administrative accounts to prevent attackers from gaining the privileges needed to delete entire file systems.

Mapped D3FEND Techniques:

Audit

M1047enterprise

Enable detailed logging on file servers and network devices to detect and investigate anomalous data access and exfiltration patterns.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

The attack on MRU involved data destruction, making a robust backup and recovery strategy paramount. Organizations must implement a 3-2-1 backup strategy: three copies of data, on two different media, with at least one copy off-site and immutable or air-gapped. For a university, this means critical student records, research data, and administrative systems must be backed up regularly. Crucially, these backups must be tested frequently to ensure they are not corrupted and can be restored quickly. An immutable copy, stored in a cloud service with object lock or on physical tapes, is essential as it prevents the ransomware from deleting or encrypting the backups, which is a common tactic. This ensures that even in the face of a destructive attack like MRU's, the organization can restore its systems and data without being forced to consider paying the ransom.

The claim of a 10TB data exfiltration is a key part of this attack. Such a large transfer of data cannot happen instantaneously and would create a significant network anomaly. By deploying Network Traffic Analysis (NTA) or a Data Loss Prevention (DLP) solution at the network edge, an organization can monitor for and alert on sustained, high-volume outbound data transfers to unknown or unauthorized destinations. Baselines of normal traffic patterns should be established, and any major deviation should trigger an immediate investigation. In MRU's case, an NTA system could have detected the exfiltration in progress, allowing the security team to block the destination IPs and isolate the source of the leak, potentially stopping the attackers long before they could steal all 10TB of data. This transforms a potentially catastrophic data breach into a containable security incident.

Timeline of Events

1
June 17, 2026

Mount Royal University discovers the ransomware attack and data deletion.

2
July 9, 2026

MRU publicly confirms data was stolen in the attack, which is claimed by the CMD Organization.

Sources & References

Mount Royal University Confirms Data Stolen in Ransomware Attack
SecurityWeek (securityweek.com) July 9, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

RansomwareCMD OrganizationMount Royal UniversityData BreachEducationCanada

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.