CMD Organization is a ransomware/extortion threat group. In the provided reporting, it claimed responsibility for the June 17 attack on Mount Royal University in Calgary, where attackers stole data from folders on the university’s H drive, deleted original files to hinder recovery, and the incident also involved wiping a separate J drive. CMD Organization published samples of allegedly stolen data, including passport scans and other sensitive documents, demanded a 30 BTC ransom, and threatened to leak the full dataset if the victim did not respond within six days. The content states that the group appears to use an auction-style extortion model offering stolen data to the highest bidder, and that it operates both a clear web portal and a dark web portal for its extortion activity. Separate trend reporting in the content recorded CMD Organization with 5 ransomware claims in week 26 of 2026. No additional aliases or sub-groups are provided in the content.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting data theft and extortion against Mount Royal University, including publishing samples of stolen data, demanding a 30 BTC ransom, threatening full disclosure, and using an auction-style system to sell stolen data to the highest bidder via clear web and dark web portals.
Ransomware group newly appearing in the ranking this week with 5 claimed victims.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.