Intelligence
highCampaignActive

Mount Royal University data theft and deletion attack highlights ransomware-adjacent data exfiltration tactics

Mount Royal University in Calgary confirmed a network breach resulting in stolen data that was subsequently deleted from file storage systems. The incident demonstrates evolving extortion tactics where attackers exfiltrate and destroy data rather than encrypt it.

S
Sebastion

Affected

Mount Royal University

Mount Royal University's breach represents a significant shift in attacker methodology within the higher education sector. Rather than deploying encryption-based ransomware, threat actors extracted sensitive data and subsequently deleted it from the institution's file storage infrastructure. This approach creates operational pressure on victims by destroying institutional data whilst simultaneously threatening disclosure, effectively creating a two-front extortion scenario.

The technical execution suggests relatively straightforward lateral movement and data exfiltration capabilities, likely indicating opportunistic threat activity rather than a highly sophisticated, targeted operation. The deletion of data after exfiltration indicates either a deliberate destruction phase or potential misconfiguration during the attackers' cleanup process. Either interpretation suggests the attackers had sufficient dwell time and system access to operate with minimal constraints.

Universities represent attractive targets due to their decentralised security posture, valuable research data, personal information on students and staff, and institutional reluctance to disrupt academic operations through aggressive containment measures. Mount Royal's breach will likely prompt other post-secondary institutions to review their backup strategies, data discovery processes, and incident response capabilities.

Defenders should prioritise immutable backup architectures, network segmentation between operational systems and backup infrastructure, enhanced monitoring for bulk data transfer activities, and clear incident escalation procedures. The absence of disclosed ransom demands or data sale announcements in this case is noteworthy; institutions should prepare for scenarios where attackers pursue direct settlement negotiation rather than public leak site publication.

This incident reflects a broader trend where data destruction becomes a standalone extortion vector. Organisations cannot rely solely on ransomware detection signatures or encrypted file identification when threat actors are simply removing data and demanding payment for its recovery or for non-disclosure of what was accessed.