Back to Intelligence

Mount Royal University Breach: Detecting Data Exfiltration and Wiping on File Storage

SA
Security Arsenal Team
July 8, 2026
5 min read

Mount Royal University in Calgary recently confirmed a significant security incident resulting in the theft and deletion of data from its central file storage systems. While specific vectors are still under investigation, the outcome—data exfiltration followed by destruction—represents a worst-case scenario for educational institutions holding PII and research data.

For defenders, this incident underscores the fragility of network-attached storage (NAS) and file shares when lateral movement goes unchecked. Unlike encryption-focused ransomware, which can sometimes be reversed, pure data deletion (wiping) causes permanent data loss. This post analyzes the tactics likely employed and provides actionable detection logic to identify mass data transfer and destruction on your file servers.

Technical Analysis

Affected Components

  • Target: Network File Storage (likely SMB/CIFS shares, NFS, or cloud storage gateways).
  • Impact: Confidentiality breach (theft) and Integrity loss (deletion).

Attack Chain & TTPs

Based on the "steal and delete" modus operandi observed in similar campaigns against academia, the attack chain typically follows this pattern:

  1. Initial Access: Likely via phishing credentials or VPN vulnerabilities (no CVE specified in source).
  2. Lateral Movement: Pass-the-hash or abuse of legacy protocols (SMB, RDP) to reach file servers.
  3. Collection: Use of legitimate administrative tools (e.g., robocopy, rclone, WinSCP) or custom scripts to stage large volumes of data.
  4. Exfiltration: Data is transferred externally via encrypted channels (HTTPS, SSH) to attacker-controlled infrastructure.
  5. Impact: Once data is secured, the threat actor executes deletion commands (rm, del, cipher) to disrupt operations and destroy forensic evidence.

Exploitation Status

  • Status: Confirmed active exploitation (Mount Royal University incident).
  • Methodology: Operational Security (OpSec) failure usually occurs during the mass transfer or deletion phases due to the sheer volume of file system events generated.

Detection & Response

Detecting "low and slow" data theft is difficult, but mass exfiltration and wiping create detectable noise. The following rules focus on identifying the tools commonly used to steal and destroy data at scale.

SIGMA Rules

YAML
---
title: Potential Data Exfiltration via Rclone
id: 8a2b1c3d-4e5f-6789-0a1b-2c3d4e5f6789
status: experimental
description: Detects the use of rclone, a command-line tool often used by threat actors to sync data to cloud storage for exfiltration.
references:
 - https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2026/04/22
tags:
 - attack.exfiltration
 - attack.t1041
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith:
     - '\rclone.exe'
   or CommandLine|contains:
     - 'rclone '
     - 'rclone copy'
     - 'rclone sync'
 falsepositives:
  - Legitimate backup administrators using rclone
level: high
---
title: Mass File Deletion via Command Line
id: 9b3c2d1e-5f6a-7890-1b2c-3d4e5f67890a
status: experimental
description: Detects attempts to delete multiple files or recursively wipe directories using native Windows tools.
references:
 - https://attack.mitre.org/techniques/T1485/
author: Security Arsenal
date: 2026/04/22
tags:
 - attack.impact
 - attack.t1485
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith:
     - '\cmd.exe'
     - '\powershell.exe'
     - '\pwsh.exe'
   CommandLine|contains:
     - 'del '
     - 'Remove-Item '
     - 'rm '
   CommandLine|contains:
     - '/s '
     - '-recurse'
     - '-force'
 filter_legit_admin:
   ParentImage|contains:
     - '\SoftwareDistribution\Download\'
     - '\Windows\System32\mstsc.exe' # Rare for mass delete
 condition: selection and not filter_legit_admin
falsepositives:
  - System maintenance scripts
  - IT helpdesk cleaning temp folders
level: high

KQL (Microsoft Sentinel / Defender)

This query identifies processes associated with data transfer tools and correlates them with network connections to detect potential exfiltration events.

KQL — Microsoft Sentinel / Defender
let ExfilTools = dynamic(['rclone', 'winscp', 'filezilla', 'cyberduck', 'pscp']);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (ExfilTools) or FileName has_any (ExfilTools)
| join kind=inner (DeviceNetworkEvents
| where RemotePort in (443, 22, 21)
| where InitiatingProcessFileName !in ('svchost.exe', 'services.exe'))
 on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| summarize count() by DeviceName, AccountName, RemoteIP, bin(Timestamp, 5m)
| where count_ > 10

Velociraptor VQL

Hunt for suspicious process execution chains indicative of wiping activities on file servers.

VQL — Velociraptor
-- Hunt for mass deletion or wiping tools
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'cmd.exe'
  OR Name =~ 'powershell.exe'
  OR Name =~ 'bash'
  AND (CommandLine =~ 'del /' 
       OR CommandLine =~ 'rm -' 
       OR CommandLine =~ 'Remove-Item -Recurse' 
       OR CommandLine =~ 'cipher /w')

Remediation Script

Use this PowerShell script to audit file share permissions immediately following a suspected breach to identify who has the capacity to delete data.

PowerShell
# Audit File Share Permissions for High-Risk 'Delete' Access
# Run on the suspected compromised file server

$HighRiskShares = Get-SmbShare | Where-Object {$_.Special -eq $false}

foreach ($share in $HighRiskShares) {
    $path = $share.Path
    Write-Host "Auditing Share: $($share.Name) at Path: $path" -ForegroundColor Cyan
    
    try {
        $acl = Get-Acl -Path $path
        foreach ($access in $acl.Access) {
            if ($access.FileSystemRights -match 'Delete|Modify|FullControl') {
                [PSCustomObject]@{
                    ShareName = $share.Name
                    Path = $path
                    Identity = $access.IdentityReference.Value
                    Rights = $access.FileSystemRights
                    AccessControlType = $access.AccessControlType
                }
            }
        }
    }
    catch {
        Write-Host "Error accessing ACL for $path : $_" -ForegroundColor Red
    }
}

Remediation

1. Immediate Isolation: If a breach is suspected, disconnect the file storage systems from the network immediately to halt ongoing exfiltration or deletion. Do not shut down servers if memory capture is required for forensic analysis.

2. Credential Reset: Assume Active Directory credentials have been compromised. Force a password reset for all privileged accounts (Domain Admins, Service Accounts) and any users with access to the affected file storage. Enforce MFA immediately.

3. Access Control Review: Move from "ACL sprawl" to a strict Zero Trust model. Ensure that "Full Control" or "Modify" permissions are granted only to dedicated service accounts, not general user groups.

4. Immutable Backups: Implement immutable (WORM) storage for critical backups. If the attacker deleted the production data, an offline or immutable backup is the only guaranteed recovery method.

5. Network Segmentation: Ensure file storage servers are not directly accessible from the internet and are segmented from general user VLANs to restrict lateral movement.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirdata-exfiltrationfile-storage-securityeduction-sectorir-csirtdata-wiping

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.