Key Takeaways
- Instructure, operator of the Canvas learning platform, reached an agreement with the ransomware group ShinyHunters after a week‑long attack that exposed data of roughly 275 million students and staff.
- Although Instructure has not confirmed a payment, experts interpret its wording as indicating a ransom was likely paid to obtain proof of data destruction.
- The breach stemmed from a vulnerability in Instructure’s “Free for Teacher” software, which allowed hackers to deface login pages and threaten to leak 3.6 TB of personal information.
- Australian institutions, including RMIT and UTS, were affected, prompting assignment extensions and heightened concern among students and educators.
- Global governments advise against paying ransoms, yet many organisations do so; in Australia, 75 large businesses reported ransom payments under mandatory reporting rules as of January 2026, with an average payment of about US $711 k.
- Paying a ransom carries risks: no guarantee that data will not be retained or resold, and funds may finance further criminal activity.
- Experts stress that while criminals have an incentive to appear trustworthy to encourage future payments, organisations cannot independently verify claims of data destruction.
- Improving cyber‑resilience—such as patching vulnerabilities, maintaining backups, and implementing robust incident‑response plans—reduces the likelihood that a ransom payment will be deemed necessary.
Overview of the Canvas Ransomware Incident
After a week of service outages, delayed assignment deadlines, and defaced login pages, Instructure announced it had “reached an agreement with the unauthorised actor” behind a ransomware attack on its Canvas platform. The statement was deliberately vague, leading cyber‑security analysts to conclude that a ransom had likely been paid, although Instructure stopped short of confirming any financial transaction. The incident affected hundreds of millions of users worldwide, raising urgent questions about the ethics and efficacy of paying extortionists.
Scale of the Data Exposure
The hacking group ShinyHunters claimed responsibility for the breach, asserting they had exfiltrated approximately 3.6 TB of data. This cache included student ID numbers, email addresses, names, and internal messages from roughly 9,000 schools and 275 million students and staff across the globe. The sheer volume of personal information amplified fears of identity theft, phishing campaigns, and long‑term privacy harms for affected individuals.
Impact on Australian Educational Institutions
In Australia, more than two dozen universities and K‑12 schools in several states reported being caught in the attack. Notable victims such as RMIT University and the University of Technology Sydney (UTS) granted assignment extensions as students and staff were unable to access Canvas. The disruption highlighted how reliance on a single cloud‑based learning management system can create systemic vulnerability when that service is compromised.
Technical Vector: Exploitation of Free for Teacher
Instructure later clarified that attackers exploited a vulnerability within its “Free for Teacher” offering—a version of Canvas provided at no cost to educators. The flaw permitted threat actors to alter login pages, displaying messages that alerted users to the breach and demonstrated the hackers’ control over the platform. Defacing login screens served both as a publicity stunt and a pressure tactic to hasten a ransom settlement.
Assertions of Data Return and Destruction
As part of the negotiated agreement, Instructure said the stolen data had been “returned” to it and that the hackers provided “digital confirmation of data destruction” via shred logs. Shred logs are technical reports generated by data‑wiping tools that certify information has been rendered unrecoverable. The company emphasized that, while absolute certainty with cybercriminals is unattainable, it took every feasible step to reassure customers.
Expert Interpretation of Instructure’s Statement
Darren Hopkins, head of cyber forensics at McGrathNicol, described Instructure’s announcement as “well crafted”—carefully worded to avoid an outright admission of payment while still signalling that an agreement existed. He noted that extortion groups like ShinyHunters rely on demonstrating honesty to encourage future victims to comply, making the credibility of their claims a pivotal factor in any negotiation.
Estimating the Potential Ransom Amount
Luke Irwin of Aegis Cybersecurity speculated that, based on publicly reported ransom demands of around US $10 million, Instructure—or its cyber‑insurance underwriter—might have paid up to that figure, though the amount could have been negotiated lower. He warned that dealing with a criminal organisation requires trusting their word, a inherently risky position for any victim organization.
The Broader Debate: To Pay or Not to Pay
Most governments, including those of the UK, US, and Australia, advise against paying ransoms, arguing that doing so fuels the ransomware economy. Yet outright bans are uncommon; instead, authorities often evaluate payments case‑by‑case. Akamai’s 2025 ransomware industry report notes that withholding payment can diminish the attractiveness of the attack vector for hackers, potentially reducing future incidents.
Australian Legal and Reporting Context
Under Australia’s autonomous cyber sanctions law, paying a designated threat actor could constitute a criminal offence, although the sanctions office treats each payment individually before deciding on prosecution. Since mandatory ransom‑payment reporting began in May 2025, 75 businesses with annual turnovers of at least AU $3 million have disclosed payments as of January 2026. The average payment reported in a November 2024 McGrathNicol survey of 800 executives was roughly AU $711 k, down from AU $1.35 m the previous year, with 64 % of respondents admitting they had paid a ransom and 81 % saying they would consider doing so hypothetically.
Risks Associated with Ransom Payments
Experts caution that paying a ransom offers no guarantee that attackers will not retain copies of the data or that they will refrain from future extortion. Hopkins highlighted that threat actors can furnish convincing “proof of deletion” screenshots while secretly preserving data elsewhere. Consequently, organizations that pay remain vulnerable to subsequent leaks or additional demands, undermining the perceived safety of the transaction.
Criminal Incentives to Appear Trustworthy
Irwin pointed out that ransomware groups benefit from cultivating a reputation for reliability; if victims believe payments lead to genuine data recovery or destruction, they are more likely to comply in future attacks. This dynamic creates a paradox where criminals must act honestly enough to sustain their business model, yet remain fundamentally untrustworthy. Hopkins summed up the dilemma by noting that organisations cannot independently verify the criminals’ claims, leaving them to act on faith—a risky stance in cyber‑risk management.
Building Resilience to Reduce Reliance on Payments
Both Hopkins and Irwin advocate strengthening defensive capabilities as a more sustainable strategy. Timely patching of vulnerabilities—such as the one exploited in Instructure’s Free for Teacher module—combined with robust backup solutions, network segmentation, and regular incident‑response drills can diminish the impact of ransomware. When organisations can restore operations without conceding to extortion, the financial and reputational incentives for attackers decline, contributing to a safer digital ecosystem for education and beyond.