Cyberattack Devastates Mount Royal University: Stolen Data, Wiped Servers, and a Multi-Million Dollar Ransom Demand + Video

Listen to this Post

Featured ImageIntroduction – A Cyberattack That Turned Into a Data Destruction Campaign

Universities have become some of the most attractive targets for cybercriminals. Their networks store decades of academic records, employee information, research projects, financial documents, and sensitive personal data belonging to thousands of students and staff. While many cyberattacks focus on stealing information for financial gain, modern ransomware groups increasingly combine data theft with deliberate destruction to maximize pressure on victims.

Mount Royal University (MRU) in Calgary, Canada, has become the latest victim of this growing trend. What initially appeared to be another ransomware incident has evolved into something far more damaging. Attackers not only infiltrated the university’s infrastructure and allegedly stole confidential information, but also erased critical storage systems, significantly complicating recovery efforts. The incident serves as another reminder that today’s cybercriminals are no longer satisfied with encrypting files—they increasingly aim to cripple organizations completely.

The Cyberattack That Disrupted an Entire University

Mount Royal University confirmed that it suffered a major cyberattack on June 17 that severely affected numerous digital services across its campus.

The breach disrupted internet connectivity, online services, and several internal systems that employees and students rely on daily. Following the attack, the university immediately engaged internal IT teams alongside external cybersecurity specialists to investigate the incident, contain the damage, and begin the lengthy recovery process.

Founded more than a century ago, Mount Royal University serves over 11,500 students and employs thousands of faculty and staff members. Like many higher education institutions, its infrastructure stores enormous volumes of personal, academic, administrative, and operational data.

Hackers Stole Data Before Deleting Critical Files

Investigators have now confirmed one of the worst aspects of the incident.

The attackers successfully accessed the

Rather than simply copying files, the attackers removed the original data after exfiltration, making recovery significantly more difficult.

According to MRU, unauthorized individuals accessed and extracted information from selected folders before deleting the original copies.

The affected storage contained information belonging to:

Current students

Former students

Current university employees

Former employees

Other individuals associated with the university

Because the stolen information differs from person to person, investigators are still determining exactly whose information was exposed.

The university has promised to notify affected individuals directly once the investigation identifies impacted records.

Another Storage Drive Was Completely Wiped

The attack became even more destructive when investigators discovered damage to another storage system.

A second storage volume, known internally as the “J Drive,” which contained departmental information, was entirely erased.

Fortunately, investigators currently have no evidence that attackers copied data from this drive before deleting it.

However, deletion alone presents an enormous operational challenge.

MRU admits that restoring the J Drive may prove impossible in some cases, and some departmental information could be permanently lost despite ongoing recovery efforts.

Recovery Could Take Months

Unlike ordinary IT outages, ransomware recovery is rarely quick.

University officials estimate that rebuilding systems and restoring affected services could require several weeks—or even several months.

Recovery teams continue rebuilding infrastructure while simultaneously investigating how attackers initially breached the network.

The university says additional updates will be released as new findings become available.

Privacy Authorities and Law Enforcement Have Been Notified

Following Canadian privacy regulations, Mount Royal University has officially reported the incident to:

Alberta’s Information and Privacy Commissioner

Law enforcement authorities

These investigations will help determine both regulatory obligations and any potential criminal prosecution related to the attack.

Meanwhile, digital forensic specialists continue examining compromised systems to determine the complete timeline of the intrusion.

CMD Organization Claims Responsibility

Responsibility for the cyberattack has been claimed by the ransomware and extortion group known as CMD Organization.

The group has allegedly published samples of stolen university data online, including highly sensitive documents such as passport scans and identity records.

To pressure the university into paying, the attackers demanded a ransom of 30 Bitcoin, worth approximately $1.9 million at current market prices.

According to the threat actors, the university was given six days to negotiate before the complete dataset would be publicly leaked.

An Auction Model for Stolen Information

CMD Organization appears to operate differently from many traditional ransomware gangs.

Instead of simply threatening public leaks, the group reportedly offers exclusive access to stolen datasets through an auction system.

Interested buyers compete to purchase confidential information, allowing attackers to maximize profits while potentially preventing broader public releases.

The organization currently advertises dozens of victims on both its clear web and dark web leak portals, illustrating the increasingly commercial nature of cyber extortion.

Identity Protection for Employees

Recognizing the long-term risks associated with stolen personal information, Mount Royal University announced that it will provide:

Two years of credit monitoring

Identity theft protection services

These protections are available to current employees as well as individuals employed by the university during the past five years.

Such services can help detect fraudulent financial activity, although they cannot reverse the exposure of confidential data already obtained by criminals.

Deep Analysis

Command 1: Understanding the Attack Strategy

This incident demonstrates a classic double-extortion operation.

The attackers first infiltrated the network, located valuable storage systems, quietly extracted sensitive information, and only afterward destroyed original files.

Deleting files after stealing them dramatically increases organizational pressure because recovery becomes significantly more difficult.

Command 2: Why Universities Remain Prime Targets

Educational institutions often operate enormous networks with thousands of users, personal devices, research systems, and legacy infrastructure.

Their decentralized environments frequently create security gaps that sophisticated attackers can exploit.

Large user populations also increase opportunities for phishing attacks and credential theft.

Command 3: Data Destruction Is Becoming a Weapon

Modern cybercriminals increasingly understand that backups alone reduce ransomware profitability.

As a result, many groups now delete production data, destroy backups, or corrupt storage systems before demanding payment.

The goal is no longer encryption alone but complete operational paralysis.

Command 4: The Business Model Behind Modern Extortion

CMD

Instead of relying solely on ransom payments, attackers monetize stolen information through private sales, multiple buyers, identity fraud, and long-term exploitation.

This diversification increases profits while reducing dependence on victim negotiations.

Command 5: Long-Term Organizational Impact

Even after systems are restored, universities face years of consequences.

Legal investigations, privacy notifications, reputational damage, insurance claims, regulatory scrutiny, and rebuilding public trust often cost far more than the immediate technical recovery.

For educational institutions, protecting trust is just as important as restoring servers.

What Undercode Say:

The Mount Royal University breach illustrates how ransomware operations have shifted from simple file encryption to complete cyber sabotage. Threat actors now understand that organizations can often recover from encrypted systems if reliable backups exist, so they increasingly steal sensitive information and intentionally erase original data to maximize pressure.

Higher education institutions continue to present attractive targets because they maintain large, decentralized networks filled with valuable personal data, intellectual property, financial information, and research assets. Their open academic environments, combined with thousands of users and countless connected devices, naturally expand the attack surface.

Another significant lesson from this incident is the importance of protecting shared storage infrastructure. Network drives used by thousands of users often become central repositories for sensitive information. Without strict segmentation, continuous monitoring, immutable backups, and rapid detection mechanisms, these repositories become ideal targets for destructive attackers.

The emergence of auction-based extortion also reflects a changing cybercrime economy. Criminal groups are increasingly treating stolen information as a commercial product rather than simply leverage for ransom negotiations. This means organizations must prepare for scenarios where paying a ransom does not guarantee that stolen data will remain private.

Equally concerning is the destructive nature of the attack. By deleting production data after theft, attackers significantly increased recovery complexity and operational downtime. This tactic transforms ransomware from a financial crime into an operational disruption capable of affecting education, research, payroll, administration, and student services simultaneously.

Organizations should assume that perimeter defenses alone are insufficient. Continuous threat hunting, identity protection, privileged access management, network segmentation, immutable backups, incident response exercises, and proactive security validation should become standard operational practices.

This attack also reinforces the importance of rapid transparency. Informing affected individuals, engaging law enforcement, notifying privacy regulators, and offering identity protection services demonstrate responsible incident response even when the technical recovery remains ongoing.

Ultimately, the MRU incident serves as another warning that modern cyberattacks are no longer isolated IT problems—they are institutional crises capable of disrupting every aspect of an organization’s operations, reputation, finances, and long-term resilience.

✅ Confirmed: Mount Royal University officially acknowledged the cyberattack, confirmed unauthorized access to portions of its H Drive, and stated that data was stolen before original files were deleted.

✅ Confirmed: The university reported that the J Drive was wiped during the attack, while investigators currently have no evidence that its contents were copied before deletion.

✅ Partially Verified: CMD Organization publicly claimed responsibility and published alleged samples of stolen data. However, independent investigators have not publicly verified every claim made by the threat group regarding the total amount of stolen information or future leak intentions.

Prediction

(+1) Mount Royal University will likely strengthen its cybersecurity architecture by expanding backup resilience, implementing stricter identity controls, improving network segmentation, and increasing investment in continuous threat detection.

(-1) Cybercriminal groups are expected to continue targeting universities worldwide because educational institutions possess valuable personal data, often operate complex legacy environments, and face significant pressure to restore academic services quickly, making them attractive candidates for double-extortion campaigns.

▶️ Related Video (78% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube