In the increasingly perilous landscape of cybercrime, the dilemma of whether companies should pay ransoms to hackers has come to the forefront once again. This issue gained renewed attention after a significant breach involving the US tech firm Instructure, which operates the widely-used educational platform, Canvas. With hundreds of millions of student records compromised and services disrupted, Instructure’s recent actions have sparked debate over the ethics and efficacy of negotiating with cybercriminals.
The Instructure Incident: A Case Study
Instructure’s ordeal highlights the stark realities faced by organisations when dealing with ransomware. Following a week-long service outage and severe data breaches affecting 9,000 educational institutions and 275 million students and staff, the company declared it had “reached an agreement” with the hackers responsible for the attack. While the firm did not explicitly confirm a ransom payment, experts suggest that the phrasing implies negotiations likely involved financial compensation.
The hacking group ShinyHunters claimed responsibility for this attack, threatening to release 3.6TB of sensitive data, including student ID numbers and personal emails. The breach not only disrupted educational activities but also forced several Australian institutions, including RMIT and the University of Technology Sydney, to extend assignment deadlines as students struggled to access vital resources.
Instructure later informed stakeholders that they had received “digital confirmation of data destruction,” suggesting that they sought to assure users of their commitment to security, even in a deal with criminals. However, the credibility of such assurances remains a contentious point.
The Ethical Conundrum: To Pay or Not to Pay?
The decision whether to pay ransoms presents a multifaceted dilemma for businesses. Despite global government advisories against such payments, many organisations find themselves cornered, opting to negotiate with attackers to avert further damage. Cybersecurity experts argue that paying ransoms may inadvertently encourage criminal behaviour by validating the effectiveness of such attacks.
According to a recent report by Akamai, if ransoms are routinely paid, hacker groups may find this approach increasingly attractive. In Australia, where legislation can classify ransom payments as criminal under certain sanctions laws, the stakes are even higher. Companies must navigate a complex legal landscape while attempting to protect their interests.
As of January 2026, 75 Australian businesses reported ransom payments, with an average payout of $711,000, a significant drop from $1.35 million the previous year. Intriguingly, 64% of surveyed executives admitted to paying ransoms, while a staggering 81% indicated a willingness to do so if faced with a similar situation again.
Trusting the Criminal: Risks and Realities
As firms grapple with the decision to pay ransoms, an underlying question looms large: Can organisations trust the promises of cybercriminals? This query is frequently posed in boardrooms across Australia, raising doubts about the integrity of payment agreements.
Experts like Darren Hopkins from McGrathNicol emphasise that while hacker groups might have a vested interest in appearing trustworthy to secure future payments, the inherent risk of engaging with criminals cannot be ignored. Criminals may provide fabricated evidence of data deletion, leaving companies with no means to verify the authenticity of these claims.
Furthermore, the business model of ransomware groups relies heavily on maintaining a semblance of honour among thieves. The reality, however, is that once a payment is made, companies remain vulnerable to further attacks or data leaks, regardless of any assurances given.
Navigating the Future of Cybersecurity
The Instructure incident serves as a stark reminder of the growing sophistication of cyber threats and the pressing need for robust cybersecurity measures. As organisations increasingly find themselves in the crosshairs of ransomware attacks, the imperative for preparation and resilience becomes clearer.
Hopkins notes that companies are improving their response strategies, focusing more on prevention and damage mitigation rather than sole reliance on ransom payments. This shift in approach could potentially reduce the overall effectiveness of ransomware as a tactic, subsequently dissuading hacker groups from pursuing this route.
Why it Matters
The question of whether to pay ransoms is not merely a financial decision; it encapsulates broader ethical, legal, and operational challenges. As the landscape of cybercrime evolves, organisations must balance the urgency of protecting sensitive data against the risks of legitimising criminal behaviour. In a world where data is invaluable, understanding the implications of ransom payments is crucial for future business sustainability and security. The Instructure case underscores the urgent need for a collective, strategic approach to combatting cyber threats, ensuring that businesses are equipped not only to respond to attacks but to prevent them in the first place.
