In today’s digital landscape, the question of whether businesses should capitulate to ransomware demands is more pressing than ever. With incidents on the rise, recent events surrounding the US tech company Instructure, which operates the widely-used education platform Canvas, have intensified the debate. After a significant cyberattack that compromised data from hundreds of millions of students, the firm hinted at an agreement with the hackers, leaving many to wonder if a ransom was paid to safeguard sensitive information.
The Ransomware Attack on Instructure
Instructure found itself at the centre of a catastrophic cyber incident, reportedly orchestrated by the notorious hacking group ShinyHunters. This attack unleashed chaos across educational institutions, with hackers threatening to leak an alarming 3.6 terabytes of data. This trove included student ID numbers, email addresses, and personal messages from a staggering 9,000 schools affecting around 275 million students and staff globally.
The aftermath was disastrous: access to Canvas was severely disrupted, leading to delayed assignment submissions and frustrations among students. Notably, universities such as RMIT and UTS were compelled to extend deadlines due to the outage.
Instructure has since disclosed that the hackers exploited vulnerabilities within its Free for Teacher software, which enabled them to alter login pages, including that of the University of Texas San Antonio. Following the incident, the company announced that it had “reached an agreement” with the attackers, although it remains unconfirmed whether a ransom was indeed paid.
The Case for and Against Paying Ransoms
The debate surrounding ransom payments is fraught with complexity. Governments worldwide, including those in the UK, US, and Australia, typically advise against surrendering to cybercriminals. However, the reality is that many organisations still choose to negotiate and even pay ransoms to protect their data and user privacy.
A report from Akamai highlights that outright bans on ransom payments are rare, with many firms arguing that non-payment could lessen the appeal of ransomware attacks. In Australia, the legality of such payments is murky; under the autonomous cyber sanctions law, paying designated attackers could be considered a criminal act, evaluated on a case-by-case basis.
According to statistics from the Australian government, as of January 2026, 75 businesses with revenues exceeding $3 million per year had paid ransoms, although the exact amounts remain undisclosed. A recent McGrathNicol report indicated that the average ransom paid by Australian businesses dropped to $711,000, down from $1.35 million the previous year, with over 64% of surveyed executives admitting that they had opted to pay a ransom.
The Trust Factor in Cybercrime
As the landscape of cyber threats evolves, businesses are honing their strategies to combat potential attacks. Darren Hopkins, head of cyber at McGrathNicol, explains that companies are now more focused on risk management, often prioritising the prevention of further damage over the retrieval of locked systems.
One of the most pressing questions that arises in boardrooms is whether paying a ransom truly guarantees that data will remain protected. “How honest is that criminal?” is a common concern voiced by executives as they assess their options. While some experts suggest that it is in the best interest of groups like ShinyHunters to maintain a semblance of trustworthiness to ensure future payments, it’s crucial to remember that they are, at the end of the day, criminals.
Hopkins cautions against relying too heavily on the word of cybercriminals, noting that they may provide misleading evidence to justify a payment. Without access to validate their claims, businesses find themselves in a precarious position.
Why it Matters
The ongoing debate about ransom payments highlights the urgent need for businesses to develop robust cybersecurity measures. As cyberattacks continue to escalate in frequency and sophistication, the stakes are higher than ever. Organisations must weigh the risks of engaging with criminals against the potential fallout of data breaches, making informed decisions that protect not only their assets but also the privacy of millions of individuals. In an age where data is power, the consequences of these decisions resonate far beyond corporate walls, impacting society at large.
