In a digital age where cyber threats loom large, the question of whether companies should pay hefty ransoms to hackers is becoming increasingly pressing. This dilemma was thrust into the spotlight following a significant ransomware attack on the education platform Canvas, managed by the US tech firm Instructure. With hundreds of millions of students’ data compromised, the stakes were high, and the implications profound.
The Canvas Ransomware Attack
The recent incident involving Instructure has raised alarm bells across educational institutions worldwide. After a week marred by outages and data breaches affecting approximately 275 million students and staff, the company revealed it had reached an “agreement” with the hackers responsible for the attack. While the firm has not explicitly confirmed whether a ransom was paid, the phrasing has led many experts to suspect that negotiations likely took place.
The notorious hacking group ShinyHunters claimed responsibility for the breach, threatening to release a staggering 3.6 terabytes of sensitive data, including student IDs, email addresses, and personal messages. The impact was felt particularly hard in Australia, where numerous universities and schools found themselves in the crosshairs. Institutions like RMIT and UTS had to grant assignment extensions as frustrated students struggled to access their online portals.
Navigating the Cyber Landscape
Instructure disclosed that the hackers exploited a vulnerability in its Free for Teacher software, which allowed them to deface login pages, including that of the University of Texas San Antonio. The company’s statement mentioned that they had received “digital confirmation of data destruction,” indicating that they had taken steps to mitigate the damage.
Darren Hopkins, head of cyber at cyber forensics accounting firm McGrathNicol, noted that Instructure’s communication was carefully constructed to suggest an agreement without admitting to a ransom payment. He described ShinyHunters as an extortion group whose modus operandi revolves around this kind of negotiation.
To Pay or Not to Pay?
Despite strong advisories from governments in the UK, US, and Australia against paying ransoms, many companies still find themselves considering the option. A report from Akamai in 2025 highlighted that while outright bans on ransom payments are rare, failing to pay could reduce the attractiveness of ransomware as a tactic for cybercriminals.
In Australia, paying a ransom could even lead to criminal charges under the autonomous cyber sanctions law, which assesses payments on a case-by-case basis. Interestingly, a recent survey revealed that 75 businesses, each with a turnover exceeding $3 million, had opted to pay ransoms by the end of January 2026, with the average payment amounting to $711,000—a significant decrease from the previous year’s average of $1.35 million.
Trusting the Untrustworthy
The crux of the matter lies in whether paying a ransom truly guarantees the safety of the data. As Hopkins frequently addresses in boardroom discussions, the pivotal question remains: “Will making a payment stop data from being exposed?” This query underscores a fundamental dilemma in the cyber realm: Can we trust those who operate outside the law?
Luke Irwin, a cybersecurity specialist at Aegis, suggests that it may be in ShinyHunters’ interest to uphold their end of the bargain, as maintaining a reputation for reliability could incentivise future victims to comply with their demands. However, the inherent risk in trusting criminals cannot be
