In the ever-evolving landscape of cybercrime, the decision of whether to pay ransoms to hackers has become a critical dilemma for businesses worldwide. With millions at stake and sensitive data often on the line, the stakes have never been higher. The recent ransomware attack on Instructure, the tech giant behind the popular educational platform Canvas, has reignited this debate, prompting urgent discussions about the ethics and implications of ransom payments.
The Attack on Instructure: A Wake-Up Call for Education Providers
In a shocking turn of events, Instructure faced a severe ransomware attack that compromised the data of approximately 275 million students and staff across 9,000 educational institutions. The hacking group ShinyHunters claimed responsibility, threatening to leak a staggering 3.6TB of sensitive information, including email addresses and student ID numbers, unless a ransom was paid.
After a week filled with outages and disrupted academic schedules, the company announced it had “reached an agreement with the unauthorised actor,” a carefully crafted statement suggesting a ransom payment had likely been made, though Instructure has not confirmed this outright.
The repercussions of this attack reverberated across Australia, where over two dozen universities and schools fell victim, forcing institutions like RMIT and UTS to extend assignment deadlines due to accessibility issues. Instructure later revealed that hackers exploited a vulnerability in its Free for Teacher software, allowing them to deface login pages and alert users to the breach.
To Pay or Not to Pay: The Ethical Quandary
Despite global advisories against paying ransoms, many organisations find themselves in a precarious position when it comes to protecting their users’ privacy and data. Cybersecurity expert Darren Hopkins from McGrathNicol highlights the careful wording of Instructure’s announcements, indicating an agreement with the hackers without outright admission of payment.
“The business model of hackers necessitates them to demonstrate honesty,” Hopkins explains. “However, the question remains: how trustworthy can you expect a criminal to be?” This uncertainty complicates the decision-making process for businesses facing similar threats.
Luke Irwin, a cybersecurity expert, estimates that the ransom demand could have been around US$10 million, suggesting that Instructure—either directly or through insurance—may have paid a significant sum to ensure the safe return of their data. But even if a ransom is paid, there are no guarantees that the hackers will uphold their end of the bargain or that the data will remain secure.
The Legal Landscape: A Risky Business
In Australia, the legal implications of paying a ransom can be severe. Under the autonomous cyber sanctions law, paying designated attackers could potentially lead to criminal charges, compelling businesses to weigh the legal risks alongside the immediate threat posed by cybercriminals. A report by Akamai reveals that firms are increasingly reluctant to pay, as doing so could inadvertently finance further criminal activities.
Data shows that, as of January 2026, 75 businesses with annual turnovers exceeding $3 million had reportedly paid ransoms, with the average amount paid dropping to $711,000 from $1.35 million the previous year. This decline suggests that enterprises are becoming more adept at preparing for cyber-attacks, reducing their reliance on ransom payments to regain access to their systems.
Navigating the Future of Cybersecurity
As businesses grapple with the ramifications of ransomware attacks, proactive measures are becoming essential. The question of whether organisations should pay up or refuse remains contentious. While some experts advocate for negotiating with hackers, many warn against the unpredictability of engaging with criminals.
Ultimately, the decision to pay a ransom is fraught with uncertainty. Businesses must weigh the potential for immediate data recovery against the risk of encouraging further attacks and funding criminal enterprises.
Why it Matters
The Instructure ransomware incident highlights a pivotal moment in the ongoing battle against cybercrime. As companies increasingly find themselves caught in the crosshairs of hackers, the ethical and practical ramifications of ransom payments become ever more crucial. The choices made today will shape the future of cybersecurity, making it imperative for organisations to develop robust strategies that not only respond to threats but also mitigate the risks associated with paying ransoms. As technology continues to advance, so too must our understanding and approach to safeguarding data in an increasingly digital world.
