In an era where cyberattacks are increasingly sophisticated and prevalent, the dilemma of whether to pay ransoms to hackers remains a pressing concern for many organisations. The recent ransomware incident involving US educational technology provider Instructure, which operates the widely used Canvas platform, has once again thrown this contentious issue into the spotlight. Following a severe breach that compromised the data of millions of students and educators, Instructure’s response is emblematic of the tough decisions companies must navigate in the face of cyber extortion.
The Instructure Incident: A Case Study
After experiencing significant service outages and data theft affecting hundreds of millions of users, Instructure announced it had reached an agreement with the cybercriminal group responsible for the attack. Although the company refrained from explicitly confirming the payment of a ransom, the language used in its communications has led many industry experts to interpret it as a tacit admission of ransom payment.
The hacking group, known as ShinyHunters, claimed responsibility for the breach, threatening to leak approximately 3.6TB of sensitive data unless their demands were met. The stolen information included student ID numbers, email addresses, and personal messages from around 9,000 educational institutions, impacting more than 275 million students and staff globally. The fallout was immediate, with institutions in Australia, such as RMIT and UTS, forced to delay assignments and extend deadlines due to the compromised access.
Instructure later revealed that the hackers had exploited a vulnerability in its Free for Teacher software, which allowed them to deface login pages and announce the breach publicly. The company maintained that they received “digital confirmation of data destruction” from the hackers, although experts caution that such assurances from cybercriminals should be taken with a grain of salt.
The Ethical and Strategic Debate
The question of whether to pay ransoms poses significant ethical and strategic challenges. Despite widespread guidance from governments in the UK, US, and Australia advising against ransom payments, many companies still opt to negotiate with their attackers. The rationale is often tied to protecting sensitive user data and maintaining operational continuity. However, the risks associated with paying ransoms are substantial; there is no guarantee that data will be deleted or that hackers will not return for further extortion.
Darren Hopkins, head of cyber at McGrathNicol, highlights the precarious nature of these decisions, stating, “Instructure is dealing with a criminal organisation, and you are taking them at their word that they will commit to those outcomes.” Such a gamble places organisations in a difficult position, balancing immediate recovery needs against the long-term implications of funding cybercriminal activity.
Government Stance and Regulatory Challenges
Regulatory frameworks governing ransomware payments vary across jurisdictions, with Australia’s autonomous cyber sanctions law making it potentially illegal to pay certain designated attackers. However, outright bans on such payments remain rare. Reports suggest that 75 businesses with turnovers exceeding £3 million paid ransoms within the last year, though the exact amounts have not been disclosed. A recent survey indicated that the average ransom paid in Australia was approximately £711,000, a significant decrease from £1.35 million the previous year.
The regulatory landscape complicates the decision-making process for organisations. As the Akamai 2025 Ransomware State of the Industry report notes, the effectiveness of ransomware as an attack vector diminishes if payments decline, yet the stakes remain high for businesses caught in the crossfire.
Navigating the Cyber Landscape
While many companies are becoming more adept at fortifying their cyber defences, the reality is that cyberattacks are becoming more prevalent and sophisticated. As businesses invest in preventative measures, they must also prepare for the possibility of a breach. The strategy often shifts from outright payment to negotiating with attackers to mitigate potential data exposure.
The dialogue surrounding the integrity and trustworthiness of cybercriminals is particularly poignant. Hopkins notes that the recurring question he encounters in boardrooms is whether paying a ransom will indeed prevent data exposure. “The business model of hackers needs them to show that they’re honest,” he explains. This trust factor is tenuous, and companies must tread carefully when dealing with criminals who have little incentive to uphold their end of the bargain.
Why it Matters
The implications of the Instructure ransomware incident extend well beyond immediate operational concerns; they highlight a broader trend in cybersecurity where businesses must navigate a complex landscape of risk, ethics, and regulatory requirements. As cyber threats evolve, organisations will need to strike a careful balance between safeguarding user data and resisting the lure of ransom payments. The choices made today will shape the future of cybersecurity practices, influencing not only individual companies but the industry as a whole. In a world increasingly reliant on digital infrastructure, the stakes have never been higher.
