**
In an increasingly digital world, the issue of whether businesses should acquiesce to ransom demands from hackers is a critical question that many firms grapple with annually. The recent cyberattack on Instructure, the company behind the widely used education platform Canvas, has reignited this debate. With potentially sensitive data from millions of students at stake, the tension between safeguarding user privacy and adhering to expert advice against paying ransoms has never been more pronounced.
The Canvas Cyberattack: A Snapshot
Instructure faced a significant cyberattack that disrupted services and compromised the data of hundreds of millions of students. The notorious hacking group ShinyHunters claimed responsibility, threatening to leak around 3.6 terabytes of sensitive information, including student IDs, email addresses, and personal messages from over 9,000 educational institutions worldwide. As the implications of the breach unfolded, students were left frustrated with delayed assignments and inaccessible platforms, prompting several universities to extend deadlines.
While Instructure has not explicitly confirmed payment of a ransom, their announcement of an “agreement” with the hackers has led many experts to surmise that a financial transaction took place. This cautious wording raises questions about the ethics and effectiveness of paying ransoms.
The Costs of Paying Ransoms
Despite global advisories against paying ransoms, companies often find themselves in a precarious position when faced with dire consequences. According to Luke Irwin, an expert from Aegis Cybersecurity, ransom demands can soar to astonishing figures, with estimates for Instructure reaching up to $10 million. However, negotiations may lead to lower payouts, emphasizing the unpredictable nature of dealing with cybercriminals.
Darren Hopkins, head of cyber at McGrathNicol, reflects on the complexities of the situation, noting that while Instructure’s statement is artfully vague, it signals they have reached some form of agreement with the hackers. The critical question remains: Is there any guarantee that paying a ransom will ensure the safety of the data and prevent further exposure?
Global Perspectives on Ransom Payments
Governments around the world, including those in the UK, US, and Australia, largely advise against making ransom payments, citing the potential to fuel further criminal activities. A recent report by Akamai indicates that while outright bans on ransom payments are rare, the ramifications of such decisions are significant. In Australia, under new regulations, paying a ransom could even be deemed a criminal act depending on the circumstances, which adds another layer of complexity for businesses facing cyber threats.
Statistics reveal a troubling trend: as of January 2026, over 75 Australian businesses with turnovers exceeding $3 million reportedly paid ransoms, with the average amount disbursed dropping to $711,000 from a staggering $1.35 million the previous year. The data suggests that a significant number of companies are willing to consider ransom payments, thus perpetuating the cycle of cyber extortion.
The Trust Factor: Can Criminals be Trusted?
One of the most pressing issues when it comes to ransom payments is the inherent distrust in dealing with criminals. As Hopkins points out, the question of “how honest is that criminal?” frequently arises in discussions about cyber threats. Although hackers like ShinyHunters may have a vested interest in maintaining a façade of trustworthiness to encourage future payments, the reality is that there are no guarantees.
Cybercriminals may provide “proof” of data destruction, such as screenshots or digital logs, but these assurances are not foolproof. Businesses must navigate a treacherous landscape, weighing the immediate need to regain control of their data against the potential for further risk.
Why it Matters
The ongoing debate surrounding ransom payments highlights the precarious balance between protecting sensitive information and combating the rising tide of cybercrime. As businesses continue to face the threat of ransomware attacks, the urgency for robust cybersecurity measures and clear guidelines on handling such incidents becomes increasingly critical. Ultimately, the decisions made in moments of crisis can have far-reaching implications, not just for individual companies but for the integrity of digital ecosystems as a whole. The stakes have never been higher, and the choices made now will shape the future of cybersecurity.
