// 4 ZERO-DAY · 5 CVE · 6 EXPLOIT · 1 ADVISORY IN THE LAST 24H
The CMD Organization ransomware group claimed responsibility for the attack on Mount Royal University, demanding a $1.9 million ransom. The university is offering credit monitoring only to employees, excluding students whose files were also on the compromised H drive, raising equity concerns in the post-breach response.

Mount Royal University (MRU) has confirmed that the cyberattack detected on June 17-18, 2026 resulted in the theft and deletion of data from specific folders on the H drive, the shared storage system used by students and employees. The CMD Organization ransomware group claimed responsibility for the incident, publishing samples of sensitive documents and demanding a ransom of 30 Bitcoin, approximately $1.9 million, with a six-day deadline. The university's decision to offer active protection only to employees — excluding students from the same safeguards — raises an equity issue in post-breach management that warrants scrutiny.

Key Takeaways
  • CMD Organization published samples of stolen data, including passport scans, and demands 30 BTC (~$1.9 million) via an auction model to the highest bidder
  • The H drive, used by both students and employees, suffered both theft and intentional deletion of original data; the departmental J drive was deleted without evidence of prior access or copying
  • MRU offers two years of credit monitoring and identity theft protection exclusively to current employees and those hired within the last five years, not to students
  • The group lists 30 organizations on its extortion site, and the demand against MRU exceeds its average ransom of roughly $580,000 by nearly four times

How the Attack Works: From Compromise to Extortion Pressure

Mount Royal University's official announcement, reported by BleepingComputer, describes a sequence that goes beyond traditional ransomware. According to the university's statement, "data within certain folders on the University's H drive was accessed and taken by an unauthorized actor." The threat actor then deleted the original data to impede recovery. The same source quotes the university: "The actor then deleted our H drive data to impede our recovery."

The J drive, containing departmental data, presents a different profile. MRU stated there is no evidence of access or copying prior to deletion. This distinction is relevant for damage assessment: the H drive hosted files from both students and employees, while the J drive held specific administrative materials.

The H drive was not designed to hold personal information, but could include it at users' discretion. This architectural characteristic — a shared storage system without automated content controls — amplifies uncertainty about the exact nature of exposed data, which varies from person to person.

CMD Organization and the Auction Model: An Evolution in Ransomware-as-a-Service

CMD Organization operates through an extortion site listing 30 victim organizations. The group does not limit pressure to direct data publication: it offers stolen materials "exclusively to the highest bidder," turning the breach into an auction. This mechanism, documented by BleepingComputer, introduces a third party into the traditional attacker-victim dynamic, complicating the risk assessment for those affected.

Rebecca Moody, Head of Data Research at Comparitech, described CMD Organization as "a relatively new gang" in rapid escalation, with high ransom demands and paralyzing attacks. The quantitative data differentiates the operation against MRU: according to IT Nerd, citing Comparitech, the group's average demand stands at roughly $580,000, while the one directed at the Canadian university exceeds that figure by nearly four times. The group claims to have stolen 10 TB of data from MRU, a volume that — if confirmed — explains the elevated demand.

Published samples include passport scans and other sensitive documents. This selection of proof-pack serves to validate the claim and accelerate the victim's decision-making.

"Cybersecurity is not a checkbox exercise, it's something that has to be done continuously... They're trying to learn to fly the plane while it's in the air"

— Ritesh Kotak, cybersecurity tech analyst, on preventive vs. reactive investments (via CBC)

The Protection Disparity: Why Employees Get Coverage and Students Don't

MRU's institutional response draws a sharp line. The university offers two years of credit monitoring and identity theft protection to current employees and those hired within the last five years. Students, despite having their files on the compromised H drive, do not receive the same protection.

According to CBC, the university justified this decision by stating that "student information does not present the same risk profile." This assertion, however, does not clarify the criteria differentiating a former student from a former employee in terms of identity theft risk, nor does it explain why the presence of passport scans in the samples published by CMD Organization does not cross the risk threshold for the student population.

The discrepancy raises equity questions in the post-breach response. If exposed personal data varies by individual, as the university stated, the decision to exclude entire categories of stakeholders from active protection appears to be a resource allocation choice rather than a case-by-case assessment of actual risk.

Institutional Context: Education Sector Under Pressure

The attack on MRU fits a broader pattern of compromises in the North American education sector. Contextual sources signal attacks on Mohawk College and breaches of the Canvas platform, but these incidents are distinct and not operationally linked to CMD Organization or MRU. The convergence lies in the target sector: institutions with limited security budgets, high network openness for educational purposes, and heterogeneous user populations.

Services disrupted during the incident include the institutional website, MyMRU, campus internet access, and phone systems. Recovery, according to BleepingComputer, could take weeks or months. MRU reported the incident to the Alberta Information and Privacy Commissioner and law enforcement.

What to Do Now

For MRU employees covered by the protection offer: activate the university-provided credit monitoring within the officially communicated terms. For excluded students and employees: independently verify the presence of personal information on the H drive and evaluate independent monitoring services, since the university is not covering the cost. For educational institutions: document data classification on shared storage and verify that content policies reflect actual risk, not just intended use.

The initial access vector is unconfirmed. The advanced phishing hypothesis advanced by analyst Ritesh Kotak in statements to CBC remains unverified by MRU. The technical identity of CMD Organization — possible alias or rebrand of an existing group — is undetermined. The outcome of any negotiations with the group is unknown: the university has not commented on whether it paid, refused, or ignored the ransom.

The intentional deletion of data, beyond theft, marks an escalation in extortion tactics. Institutions facing similar decisions will need to assess whether post-breach guarantees are distributed proportionally to actual harm, not just the contractual profile of the relationship with the data subject.

Sources

Information has been verified against cited sources and updated at time of publication.

Sources


Sources and references
  1. bleepingcomputer.com
  2. cbc.ca
  3. thecyberexpress.com
  4. livewirecalgary.com
  5. itnerd.blog
  6. foxnews.com
  7. deals.bleepingcomputer.com