Back to Headlines
Business
May 17, 2026
Analyzed by GPT OSS 120B

Canvas Ransom Dilemma: What Instructure’s Deal Reveals About Paying Cyber Extortionists

AI Summary
Instructure confirmed an agreement with the ransomware group ShinyHunters after a week‑long Canvas outage that exposed data of hundreds of millions of students. The opaque settlement, widely read as a ransom payment, reignites the debate over whether firms should pay cyber‑extortionists to protect sensitive information.

After a week‑long outage that crippled Canvas for millions of students worldwide, Instructure announced it had reached an agreement with the ransomware group ShinyHunters. While the company stopped short of confirming a payment, the deal raises fresh questions about the wisdom of paying extortionists to protect sensitive educational data.

Instructure’s Agreement with ShinyHunters: What Actually Happened

The attack began when the group exploited a vulnerability in Instructure’s “Free for Teacher” software, allowing them to deface login pages at institutions such as the University of Texas San Antonio. ShinyHunters threatened to leak 3.6 TB of data – student IDs, emails, names and messages from 9,000 schools and roughly 275 million students and staff – unless a ransom was paid. Instructure later said the stolen data had been “returned” and that it received “digital confirmation of data destruction” via shred logs, but it did not explicitly confirm a payment.

Financial Stakes: Ransom Demands, Potential Payments, and Industry Benchmarks

  • ShinyHunters initially demanded $10 million in ransom.
  • Australian ransomware surveys show the average payment fell to $711,000 in 2025, down from $1.35 million the year before.
  • According to a McGrathNicol report, 64 % of surveyed Australian firms had paid a ransom, and 81 % said they would be willing to do so.
  • As of January 2026, 75 Australian businesses with turnovers of at least $3 million had paid ransoms, though the total amount remains undisclosed.

Cyber‑security experts estimate that Instructure’s payout – if any – could be anywhere up to the $10 million demand, potentially reduced through negotiation.

Policy and Business Implications: Why Paying Ransom Remains Controversial

Governments in the UK, US and Australia advise against paying ransoms, arguing that non‑payment reduces the attractiveness of ransomware as a crime vector. In Australia, paying a designated attacker could breach the autonomous cyber‑sanctions law, exposing firms to prosecution on a case‑by‑case basis. Critics also note that payment does not guarantee data will not be leaked; attackers may still copy or sell the information after receiving money.

Experts such as Darren Hopkins (McGrathNicol) and Luke Irwin (Aegis Cybersecurity) stress the “trust factor” – criminals must appear honest to receive payment, yet they remain untrustworthy. This paradox fuels boardroom debates about risk‑driven decision‑making versus investing in prevention and incident response capabilities.

Looking Ahead: How Companies May Navigate Future Extortion Threats

The Canvas case underscores the need for stronger cyber‑resilience strategies: regular vulnerability patching, robust backup architectures, and clear ransomware response playbooks. Insurers are tightening coverage terms, often requiring demonstrable mitigation measures before honoring ransom claims. Policymakers may also tighten reporting obligations and consider clearer prohibitions on ransom payments, especially for critical‑infrastructure providers like education platforms.

Ultimately, firms will have to balance the immediate pressure to restore services against the long‑term cost of incentivising criminal enterprises. As ransomware groups refine their extortion tactics, the industry’s collective stance on paying – or refusing – will shape the next wave of cyber‑crime economics.