Instructure cyberattack reignites ransom payment debate

What happened in the Canvas cyberattack

According to Instructure, threat actors broke into its systems on both April 29 and May 7, leading to an outage in the company's Canvas ed tech platform, which thousands of schools worldwide use to manage assignments, course materials, messages and grades. The attack caused widespread disruption and exposed users' personally identifiable information, including names, email addresses, student ID numbers and confidential messages between students and teachers.

Threat actor group ShinyHunters claimed responsibility for the attack, saying it stole 3.65 TB of Instructure's data, including information belonging to around 275 million users across almost 9,000 schools.

On May 11, Instructure issued a public statement saying it had reached an agreement with the attackers and that Canvas is now fully operational and safe to use.

To pay or not to pay -- that is the question

As part of the settlement, the threat actors reportedly returned Instructure's data, destroyed copies and promised not to further extort the company's customers. But deals with malicious hackers come with no guarantees, cautioned Michael Klein, senior director for preparedness and response at the Institute for Security and Technology.

"You can't trust that a cybercriminal group is going to keep their word and not then go and extort all of the people downstream of that anyway," KIein told K-12 Dive, a TechTarget Security sister publication.

Research suggests there is little honor among cyber thieves. A CrowdStrike survey found 93% of victims who paid their attackers still had their data stolen, and 83% were attacked again.

Despite such unfavorable odds, an organization might decide, based on business risk, that paying a ransom is worth it -- if it can't survive without the stolen data, for example, or if operational disruptions and reputational fallout will likely cost more than the ransom itself. In an attack on a hospital or other critical infrastructure, lives might even be at stake.

The FBI and other law enforcement agencies strongly discourage paying ransomware operators, saying it encourages cybercrime and often leads to double- or triple-extortion attacks, in which threat actors return to make additional demands.

While making ransomware payments is generally legal in the U.S., it is illegal to send money to certain nation-states and affiliated groups for any reason. The Treasury Department warned in 2021 that making ransom payments that enrich sanctioned countries, groups or individuals could result in civil penalties.

FBI warns additional extortion attacks are possible

In a May 15 statement, the FBI urged educational institutions and end users to stay vigilant in the wake of the ShinyHunters attack, warning that they could see additional, related extortion attempts.

"[ShinyHunters] actors' access to compromised sensitive data could allow them to craft highly sophisticated spearphishing campaigns using real-world context to deceive victims," the post said, adding that the group often employs campaigns of escalating harassment to pressure targets to pay. Tactics might include threatening emails, text messages, phone calls and, in some cases, swatting. Threat actors might also claim -- often falsely -- to have embarrassing or sensitive photos or videos of victims.

The agency encouraged organizations and individuals to report suspicious messages to the FBI Internet Crime Complaint Center or their local FBI field offices.

Alissa Irei is senior site editor of Informa TechTarget Security.