A young ransomware operation that calls itself CMD is widening its net fast, adding a local government in Norway, a healthcare provider, a manufacturer, and a private security firm to its extortion site in the space of a few days. The crew, which IntelFusions tracks under the codename Scrape Flux, only began posting victims in early May 2026, yet it has already listed more than 30 organizations across North America, South America, and Europe.
The headline name in the latest batch is Lorenskog kommune, the municipal authority for a town of roughly 40,000 people on the edge of Oslo. Local-government bodies hold sensitive records on residents, run public services, and often lag private companies on security budgets, which makes them a recurring target for extortion crews. Like every entry on a ransomware leak site, the listing is a claim: the gang says it has the data and is pressuring the victim to pay. IntelFusions has not verified that any of these organizations were actually breached, and none has publicly confirmed an incident.
What CMD is claiming
Over roughly the past week the crew has posted a string of victims that span sectors and continents rather than concentrating on one industry. Alongside the Norwegian municipality, recent listings include a healthcare provider, a composite-parts manufacturer and a logistics-linked services business in the United States, and a private security group in Colombia. That spread, public sector, healthcare, manufacturing, and financial-adjacent services, is typical of an opportunistic affiliate model: operators hit whatever vulnerable network they can reach rather than chasing a particular vertical.
Why a two-month-old crew matters
Ransomware brands appear and disappear constantly, and a new name on a leak site is easy to dismiss. But the trajectory here is the point. CMD went from its first listings in early May to more than 30 named victims, with about half of those added in the last month and roughly seven in the past week alone. A crew that can sustain that cadence usually has working intrusion access (often bought from initial-access brokers or harvested through stolen credentials and exposed remote services) and enough affiliates to keep the pipeline full. Defenders should treat it as an active threat, not a curiosity. For the wider picture on how fast leak-site claims are piling up this season, see our recent coverage of the Settra crew naming a dozen victims in a single day, and the profile we maintain on CMD as it develops.
What you should do
There is no single CMD-specific patch, because crews like this exploit the same well-worn entry points most extortion actors use. Prioritize the basics that close those doors: enforce phishing-resistant multi-factor authentication on every remote-access and VPN account, patch internet-facing services and edge devices promptly, and disable or tightly restrict exposed RDP. Keep offline, tested backups so that an encryption event does not become a ransom decision, and watch for the early signs of intrusion, unexpected administrative logins, new accounts, and mass file access, before data is staged for theft. Organizations in Norway and the wider Nordics can review national guidance and our Norway cyber profile for region-specific context.
IntelFusions will update this story if any of the named organizations confirms an incident or if CMD releases data to back its claims. Until then, these remain unproven extortion listings, and the most useful response is to harden the access paths that let crews like this in.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.