**
In an age where cyber threats loom large, the recent ransomware attack on Instructure, the tech firm behind the widely used educational platform Canvas, has ignited a fervent debate over whether firms should capitulate to hackers’ demands. With hundreds of millions of students’ data compromised and academic activities severely disrupted, this incident serves as a stark reminder of the growing sophistication of cybercrime and the tough choices companies face when their systems are under siege.
The Attack Unfolds
Instructure’s troubles began when the notorious hacking group ShinyHunters executed a massive data breach, threatening to leak a staggering 3.6 terabytes of sensitive information. This trove included student ID numbers, email addresses, and personal messages from a staggering 9,000 educational institutions, affecting approximately 275 million students and staff members worldwide. As the fallout from the breach unfolded, many educational providers, including over two dozen Australian universities and schools, were forced to delay assignments and provide extensions as students struggled to access vital portals.
The hacking group had made it clear that unless a ransom was paid, they would unleash the stolen data into the public domain. Following a week of chaos, Instructure announced it had come to a “agreement” with the hackers, though the firm has not confirmed whether a ransom was indeed paid. Observers interpret this ambiguous language as indicative of a financial transaction, but the details remain shrouded in mystery.
The Ransom Debate
The question of whether to pay ransoms is not merely theoretical; it is a pressing dilemma that confronts countless businesses each year. While governments around the globe, including those in the UK, US, and Australia, generally discourage ransom payments, the stark reality is that many organisations ultimately comply to safeguard sensitive information.
Experts suggest that Instructure may have faced ransom demands upwards of £10 million, although negotiations could have tempered this amount. Darren Hopkins, head of cyber at McGrathNicol, noted the careful wording of Instructure’s statements, indicating a strategically crafted message that neither confirms nor denies payment while implying some form of agreement has been reached.
The Risks of Compliance
Paying a ransom comes with its own set of risks. Not only does it potentially finance further criminal activities, but there is also no assurance that compliance will guarantee the secure destruction of stolen data. Luke Irwin, a cybersecurity expert at Aegis, highlights the inherent gamble: “You are taking them at their word that they will commit to those outcomes,” he warns, underscoring the precarious nature of dealings with cybercriminals.
In Australia, where strict regulations around cybercrime are in place, paying a ransom may even be deemed a criminal act under specific circumstances. The Australian government has been vigilant, monitoring ransom payments closely, yet as of January 2026, 75 businesses reported making such payments, with an average ransom of approximately £711,000.
Preparing for the Inevitable
Despite the risks associated with paying ransoms, companies are increasingly recognising the importance of preparing for potential cyberattacks. The McGrathNicol ransomware report indicates that many organisations are now adopting proactive measures to bolster their defences, thereby reducing the likelihood of needing to pay hackers.
Hopkins remarks that businesses are becoming more adept at navigating the complexities of cybercrime. “Canvas was interesting because we all suspected [Instructure] engaged with the threat actor very quickly,” he observes, suggesting that swift action may have mitigated further damage.
The Trust Factor
The central question that often arises in boardrooms when discussing ransom payments is straightforward: Will paying the ransom prevent data exposure? This concern reflects a broader issue of trust in dealings with criminals, where the reliability of hackers is put to the test. “The business model of hackers necessitates a certain level of trust,” Hopkins explains. “If they don’t act in good faith, future victims may be less inclined to pay.”
Yet the inherent nature of cybercriminals means that faith should be tempered with caution. Irwin notes, “It is in ShinyHunters’ interest to act in good faith as an example,” but Hopkins counters, stating that organisations cannot afford to rely on the integrity of those who operate outside the law.
Why it Matters
As cyber threats continue to escalate, the Instructure incident serves as a crucial lesson for businesses around the world. The dilemma of whether to pay ransoms not only impacts individual companies but has wider implications for cybersecurity practices across industries. With data breaches becoming increasingly common, organisations must weigh the urgency of immediate recovery against the long-term consequences of empowering cybercriminals. The choices made today will shape the landscape of digital security for years to come, highlighting the need for robust preventative measures and a collective commitment to combatting cybercrime.
