In a world where cyber threats loom larger by the day, the dilemma of whether businesses should pay ransoms to hackers has come into sharp focus. Recently, Instructure, the company behind the widely-used educational platform Canvas, found itself in the eye of this storm after a significant data breach compromised the sensitive information of millions of students and staff. As firms grapple with the consequences of such attacks, the question remains: is paying the ransom ever a sensible option?
The Canvas Cyber Attack: What Happened?
Instructure announced a troubling week in May 2026 when it suffered a ransomware attack that disrupted services across hundreds of educational institutions globally. The hackers, identified as the ShinyHunters group, reportedly stole a staggering 3.6 terabytes of data, including student IDs, email addresses, and personal messages from around 9,000 schools and 275 million individuals. The breach not only delayed assignment deadlines but also led to frustrations among students unable to access their accounts.
Experts interpreted Instructure’s recent statements as an indication that a ransom may have been paid, although the company has not confirmed any financial transaction. Instead, they mentioned having reached an “agreement” with the attackers and claimed that the compromised data had been returned, accompanied by “digital confirmation of data destruction.” This careful wording has raised eyebrows, suggesting a delicate negotiation with cybercriminals who are notorious for their deceitful practices.
The Costs and Consequences of Paying Ransoms
Despite widespread governmental advice against paying ransoms—echoed by authorities in the UK, US, and Australia—many companies still find themselves in a position where they feel compelled to comply. The rationale is simple: desperate times call for desperate measures. Cybersecurity expert Luke Irwin estimates that Instructure could have faced a ransom demand nearing $10 million, although negotiations might have reduced this figure.
The dilemma is further complicated by legal implications. In Australia, for instance, paying a ransom may be considered a criminal act under certain circumstances, especially if the attacker is on a sanctions list. This complex legal landscape adds to the already weighty decision-making process.
A recent report revealed that 75 businesses with an annual turnover exceeding $3 million had paid ransoms by early 2026, with the average amount settling at a hefty $711,000. This is a significant drop from the previous year’s average of $1.35 million, suggesting that businesses are becoming more pragmatic in their responses to cyber threats.
Trusting Criminals: A Risky Gamble
The core of the ransomware conundrum lies in a troubling question: can companies trust cybercriminals to hold up their end of the bargain? Darren Hopkins, a cyber forensics expert, highlights the scepticism prevalent in boardrooms across Australia. When training executives, he often encounters the query: “Will making a payment stop data from being exposed?” The underlying concern is clear—how reliable can a criminal be?
While some argue that groups like ShinyHunters have an incentive to act honourably to maintain their business model, Hopkins cautions against blind faith in such assurances. Cybercriminals may provide deceptive evidence of data deletion, leaving companies with no means to independently verify these claims.
Preparing for the Inevitable
As the frequency and severity of cyberattacks escalate, businesses are increasingly recognising the importance of preparation. Many organisations are investing in robust cybersecurity measures to minimise the risk of such breaches and reduce reliance on paying ransoms. The focus is shifting from merely regaining access to locked systems to preventing further data exposure and potential fallout.
Instructure’s case exemplifies this shift. The rapid engagement with the threat actors suggests that the company realised the urgency of the situation, as their data was already being leaked online. This proactive approach could serve as a model for other firms facing similar threats.
Why it Matters
The ongoing battle against ransomware poses significant implications for businesses and their stakeholders. The decision to pay or not to pay can determine not only the future of a company’s operations but also its reputation and trustworthiness in the eyes of clients and customers. As cybercriminals continue to refine their tactics, organisations must navigate this treacherous landscape with caution, balancing immediate concerns against long-term strategies for resilience. The stakes couldn’t be higher: safeguarding sensitive information is not just about financial losses, but preserving the trust that forms the bedrock of any successful business.
