In an era where cyber threats loom large, the dilemma of whether companies should pay ransoms to hackers is more pressing than ever. Recently, the US tech company Instructure, which operates the global education platform Canvas, faced this very question after a massive ransomware assault that compromised the data of hundreds of millions of students. As the debate rages on, it’s vital to examine the implications of such decisions and the ever-evolving landscape of cybercrime.
The Canvas Ransomware Attack
After enduring a week of crippling outages and chaos that left students unable to access their assignments, Instructure revealed it had “reached an agreement with the unauthorised actor” behind the attack. While the company has not confirmed the payment of a ransom, the phrasing has led many experts to infer that a sum may have exchanged hands.
The notorious hacking group ShinyHunters claimed responsibility for this brazen act, reportedly threatening to leak 3.6 terabytes of sensitive data, including student IDs, email addresses, and personal messages from 9,000 educational institutions. This data breach affected an astonishing 275 million students and staff globally, putting privacy concerns at the forefront.
In Australia alone, the attack wreaked havoc on over two dozen universities and schools, prompting institutions like RMIT and UTS to extend assignment deadlines as students struggled to access their learning portals.
Navigating the Fallout
Instructure confirmed that the hackers exploited a vulnerability within its Free for Teacher software, which allowed them to alter login pages, such as that of the University of Texas San Antonio, to alert users to the breach. Following the incident, the firm stated that it had received confirmation regarding the destruction of the stolen data through digital shred logs, a technical measure used to ensure files are irretrievable.
Darren Hopkins, a cyber forensics expert at McGrathNicol, commented on the situation, noting that the company’s statement was crafted carefully to avoid admitting to a ransom payment while still indicating a deal had been struck. “ShinyHunters is an extortion group. This is what they do,” he explained, highlighting the precarious nature of engaging with cybercriminals.
Luke Irwin, an Aegis Cybersecurity expert, estimated that Instructure might have faced a ransom demand as high as $10 million. However, he suggested that such figures are often negotiable. “Instructure is dealing with a criminal organisation, and you are taking them at their word that they will commit to those outcomes,” Irwin pointed out, emphasising the inherent risks of such transactions.
The Ethical Conundrum: To Pay or Not to Pay?
Despite widespread government advisories against paying ransoms—seen in the UK, US, and Australia—outright prohibitions are rare. A report from Akamai indicated that if ransoms are not paid, the effectiveness of ransomware as an attack vector diminishes, potentially dissuading hacker groups from utilising this method in the future.
Australia’s autonomous cyber sanctions law complicates matters further, as paying a designated attacker could lead to criminal prosecution. As of January 2026, it was reported that 75 companies with annual turnovers exceeding £3 million had paid ransoms, although the total amounts remain undisclosed. A survey by McGrathNicol revealed that the average ransom payment in Australia had decreased to £711,000 from £1.35 million the previous year, with a significant 64% of businesses opting to pay the ransom.
Hopkins remarked that companies are increasingly improving their cyber-defence strategies, which reduces the necessity to pay hackers to regain access to locked systems. Instead, many are prioritising damage control, often opting to pay in hopes of limiting further harm.
Trusting the Untrustworthy
One of the most pressing questions facing companies is whether paying a ransom will actually prevent data from being exposed. “The question around ‘how honest is that criminal?’ comes up all the time,” Hopkins noted, underlining the fundamental trust issue inherent in dealing with cybercriminals.
Irwin contended that it is in the hackers’ interest to act in good faith, as maintaining a reputation for honesty may encourage future victims to comply with ransom demands. However, Hopkins added a sobering reminder: “You can’t rely on them to not be what they are, which is criminals.”
This trust gap poses a significant challenge for businesses navigating these treacherous waters. Without the ability to validate the hackers’ claims, companies are left in a precarious position, often at the mercy of those who have already breached their security.
Why it Matters
The ongoing struggle between cybercriminals and businesses highlights the urgent need for robust cybersecurity measures and ethical considerations in the face of ransomware attacks. The decision to pay a ransom is fraught with uncertainty and moral implications, impacting not just the immediate victims but the wider landscape of cybersecurity. As the stakes continue to rise, understanding the intricacies of this dilemma is essential for safeguarding data privacy and maintaining trust in an increasingly digital world.
