Mount Royal University (MRU) in Alberta, Canada, has officially confirmed it suffered a significant ransomware attack that led to the theft of personal information belonging to its students and employees. The incident, first detected on June 17, 2026, involved the deletion of critical file storage systems and caused major disruptions to campus IT services. The CMD Organization ransomware group has taken responsibility, posting the university on its dark web leak site and claiming to have exfiltrated over 10 terabytes of data. The group is demanding a $1.9 million ransom to prevent the public release of the stolen information. This attack highlights the continued targeting of the education sector by ransomware gangs who see them as data-rich and often under-resourced targets.
The attack on Mount Royal University (MRU) was both destructive and disruptive. On June 17, the university's IT staff discovered that two major file storage systems had been deleted by the attackers: one containing sensitive employee and student data, and another used for general departmental data. This act of destruction, a tactic sometimes used to increase pressure, corresponds to T1485 - Data Destruction.
Shortly after, the CMD Organization, a relatively new ransomware group, claimed the attack. They use a double-extortion model, first stealing data (T1567) and then encrypting or deleting systems (T1486/T1485). The group posted MRU on its Tor-based leak site, claiming to possess 10TB of data and demanding a $1.9 million ransom. They also published screenshots of some of the allegedly stolen data as proof of the breach. According to security researchers, the CMD group has claimed 32 attacks to date, though only a few have been publicly confirmed, suggesting they may be an emerging threat.
While MRU has not disclosed the initial access vector, ransomware attacks on universities often begin with phishing campaigns (T1566 - Phishing) that harvest user credentials or through the exploitation of unpatched vulnerabilities in public-facing systems like VPNs or web applications (T1190 - Exploit Public-Facing Application).
Once inside the network, the attackers would have performed reconnaissance to map the network and identify high-value targets, such as the file storage systems. The deletion of these systems indicates the attackers likely gained administrative privileges (T1078 - Valid Accounts). The sheer volume of data claimed to be stolen (10TB) suggests that the attackers had prolonged and unfettered access to the network, allowing them to exfiltrate large amounts of data over time before executing their final payload. The use of a dark web leak site for extortion is a standard tactic for modern ransomware groups, falling under T1657 - Financial Benefit.
The impact on MRU is multi-faceted. Operationally, the deletion of file systems and disruption of IT services would have severely hampered university functions, affecting everything from teaching and administration to research. Financially, the university now faces significant costs for incident response, system restoration, and potential legal fees, in addition to the $1.9 million ransom demand. The theft of student and employee personal information creates a significant privacy breach, exposing individuals to risks of identity theft and fraud. This leads to a loss of trust from students, faculty, and the public, causing long-term reputational damage that can be difficult to repair.
No specific file hashes, IP addresses, or domains were provided in the source articles.
To detect similar ransomware attacks, security teams can hunt for the following:
net use \\<server>\<share>net use command to map network drives for data access and encryption. Monitor for unusual or widespread use of this command.rclone.exe, megasync.exeD3-NTA: Network Traffic Analysis to baseline normal outbound traffic and alert on sustained, high-volume transfers to unknown destinations.The most critical mitigation. Maintain offline, immutable, and regularly tested backups to ensure data can be restored after a destructive attack.
Segmenting the network can prevent an attacker from moving from a compromised workstation to critical servers, containing the blast radius.
Mapped D3FEND Techniques:
Strictly control and monitor the use of administrative accounts to prevent attackers from gaining the privileges needed to delete entire file systems.
Mapped D3FEND Techniques:
The attack on MRU involved data destruction, making a robust backup and recovery strategy paramount. Organizations must implement a 3-2-1 backup strategy: three copies of data, on two different media, with at least one copy off-site and immutable or air-gapped. For a university, this means critical student records, research data, and administrative systems must be backed up regularly. Crucially, these backups must be tested frequently to ensure they are not corrupted and can be restored quickly. An immutable copy, stored in a cloud service with object lock or on physical tapes, is essential as it prevents the ransomware from deleting or encrypting the backups, which is a common tactic. This ensures that even in the face of a destructive attack like MRU's, the organization can restore its systems and data without being forced to consider paying the ransom.
The claim of a 10TB data exfiltration is a key part of this attack. Such a large transfer of data cannot happen instantaneously and would create a significant network anomaly. By deploying Network Traffic Analysis (NTA) or a Data Loss Prevention (DLP) solution at the network edge, an organization can monitor for and alert on sustained, high-volume outbound data transfers to unknown or unauthorized destinations. Baselines of normal traffic patterns should be established, and any major deviation should trigger an immediate investigation. In MRU's case, an NTA system could have detected the exfiltration in progress, allowing the security team to block the destination IPs and isolate the source of the leak, potentially stopping the attackers long before they could steal all 10TB of data. This transforms a potentially catastrophic data breach into a containable security incident.
Mount Royal University discovers the ransomware attack and data deletion.
MRU publicly confirms data was stolen in the attack, which is claimed by the CMD Organization.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.