Skip to content
Ransomware group

CMD Organization

CMD Organization is a ransomware and data-extortion threat group that publicly claims intrusions against organizations and uses leak-site shaming to pressure victims.

Profile source: Mallory opens in a new tab

CMD Organization

Family profile

CMD Organization is a ransomware and data-extortion threat group that publicly claims intrusions against organizations and uses leak-site shaming to pressure victims. The group has been observed listing victims on extortion infrastructure and publishing sample stolen documents to support its claims. Reporting also associates it with an auction-style monetization model in which allegedly stolen datasets are offered to the highest bidder, indicating a financially motivated operation centered on double-extortion and possible data resale.

Observed victimology includes educational institutions, and the group has appeared in weekly ransomware claim tracking as an active but not top-tier actor, with multiple claimed victims across separate reporting periods in mid-2026. In one publicly reported university intrusion, the group claimed theft of a large volume of sensitive data, issued a cryptocurrency ransom demand, and threatened timed publication of additional material. That incident was also characterized by disruptive actions beyond exfiltration, including deletion of files from affected storage systems, consistent with coercive pressure designed to hinder recovery and increase leverage.

Tactics attributed to CMD Organization include unauthorized network access, data exfiltration, extortion via leak-site publication, deadline-based ransom demands, and destructive or disruptive post-compromise activity such as file deletion. The group’s operating model suggests overlap between ransomware and pure extortion tradecraft: public victim naming, proof-of-compromise releases, and sale or threatened release of stolen information. Available information supports classifying CMD Organization as a cybercriminal extortion actor. No high-confidence public attribution to a nation-state sponsor is currently available.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

MITRE ATT&CK

CMD Organization in ATT&CK

7 distinct techniques

Reporting

Research mentioning CMD Organization

Jul 9
Scworld

Mount Royal University hit by ransomware attack, data stolen and deleted | brief | SC Media

The cyberattack, claimed by the threat group CMD Organization, involved the theft of data from the university's "H drive," which contained information for current and former students and employees.

Jul 9
Security Week

Mount Royal University Confirms Data Stolen in Ransomware Attack - SecurityWeek

The university’s notice, however, came the same day that a ransomware group called CMD Organization added MRU to its Tor-based leak site, claiming the theft of over 10 terabytes of data.

Jul 9
Cyberveille

Mount Royal University : vol et destruction de données par CMD Organization, rançon de 30 BTC | CyberVeille

Le groupe CMD Organization a revendiqué l’attaque et publié des échantillons de données volées, incluant des scans de passeports et d’autres documents sensibles. Le groupe a exigé une rançon de 30 BTC avec un délai de six jours avant publication des données.

Jul 9
Cysecurity News

Mount Royal University says hackers stole and deleted files following June cyberattack - CySecurity News - Latest Information Security and Hacking Incidents

Responsibility for the attack has been claimed by the cybercrime group CMD Organization, which has published samples of what it alleges is stolen university data, including passport scans and other sensitive documents.

Jul 9
Teiss News

teiss - News - Mount Royal University confirms hackers stole and deleted student and staff files

The attack has been claimed by a group calling itself CMD Organization, which has posted samples of allegedly stolen material, including passport scans and other sensitive documents, to its extortion site.

Jul 8
Bleeping Computer

Mount Royal University confirms breach as hackers claim attack

The MRU attack was claimed by the threat group CMD Organization, which has published samples of the allegedly stolen data, including passport scans and other sensitive documents.

Jul 6
Cyberveille

Tendances ransomware - Semaine 28/2026 | CyberVeille

La présence de CRPxO et CMD Organization mérite d’être notée, ces groupes n’étant pas apparus dans les données de la semaine précédente.

Jun 22
Cyberveille

Tendances ransomware - Semaine 26/2026 | CyberVeille

Icarus, Akira, INC Ransom et CMD Organization complètent le tableau avec respectivement 9, 8, 7 et 5 revendications.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.