Menu
Browse

Cyber Threat Actor: CMD Organization

Actor Type Location Known Incidents
 Icon
Criminal
1 incident
Profile

CMD Organization is a ransomware group that has been publicly identified by its alias and is known for conducting data‑theft extortion operations against educational institutions. The only confirmed activity attributed to this actor involves the June 17 2023 incident at Mount Royal University in Alberta, Canada, where the group targeted the university’s file storage infrastructure. The attack resulted in the deletion of two file storage systems and the exfiltration of employee and student data from the H drive, causing widespread disruption to internal systems, online services and internet access. Following the breach, CMD Organization posted proof of the stolen material leak site, claiming possession of over ten terabytes of data, on a leak site and demanded a 1.9 million‑dollar cryptocurrency ransom for the return of the information. The university’s response included notifying the Alberta Information and Privacy Commissioner and law enforcement, as well as offering affected individuals 24 months of free identity theft and credit monitoring. These details indicate a financially motivated objective, as the actor’s primary leverage was a monetary demand paid in cryptocurrency.

The group’s observed tactics, techniques and procedures consist of deploying ransomware that both encrypts and deletes targeted storage volumes, followed by large‑scale data exfiltration to pressure victims via public leak sites. No specific malware families, initial access vectors or ancillary tools are described in the available reporting, so only the ransomware deployment, data theft and leak‑site publication can be cited as confirmed TTP themes. No public attribution links CMD Organization to a state sponsor, criminal consortium or any broader affiliation have been established, and the actor remains solely associated with the Mount Royal University operation. Consequently, the Mount Royal University case stands as the sole representative campaign through which the group’s capabilities and intent have been documented in the context.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources