Instructure’s Canvas platform faced a ransomware attack threatening 275 million users’ data, sparking debate over paying cybercriminals. The company’s undisclosed ransom deal with ShinyHunters raises questions about ethics, data security, and the growing ransomware-as-a-service trend.
The Canvas Hack Incident: A Ransomware Crisis
In May 2026, a ransomware attack on Instructure’s Canvas platform revealed weaknesses in global education systems. Hackers threatened to leak 3.6TB of student and staff data from 275 million users. Instructure said it negotiated a deal with the ShinyHunters group but didn’t confirm a ransom payment. This uncertainty has reignited discussions about whether paying cybercriminals is ethical or effective. The incident highlights a bigger issue: whether paying ransoms, while sometimes necessary to stop immediate harm, encourages criminal behavior and weakens global cybersecurity standards.
“ShinyHunters is an extortion group—they do this for a living.”
The Ransom Payment Dilemma: Expert Perspectives
Cybersecurity experts like Darren Hopkins of McGrathNicol call the situation a ‘risk-based decision’ for companies facing extortion. ‘ShinyHunters is an extortion group—they do this for a living,’ Hopkins says. ‘You’re taking them at their word that they will commit to those outcomes.’ A 2023 IEEE study on ransomware economics found that data theft raises ransom demands, with victims paying 3 to 50% more when sensitive data is involved. This matches the Canvas case, where hackers threatened to leak student IDs, emails, and private messages, likely increasing the ransom. However, Instructure hasn’t disclosed the deal’s financial terms.
The Canvas hack isn’t the first time a major company paid ransom. In 2021, Colonial Pipeline paid $4.45 million after a ransomware attack disrupted fuel supplies. Similarly, the 2023 attack on Ireland’s Health Service Executive (HSE) saw a $1.3 million ransom paid to restore critical systems. These cases show a pattern: when downtime or data exposure costs more than the ransom, companies often choose to pay. But the 2022 University of Utah ransomware attack revealed a darker trend—hackers stole 1.3 million records and demanded $500,000, but the university refused to pay, leading to a prolonged data breach that exposed students’ personal info for months. This shows the trade-off: paying stops immediate disruption but risks long-term exposure.
Data Destruction Logs: Trust vs. Verification
Instructure’s claim of receiving ‘digital proof of data erasure’ via shred logs has raised questions about technical verification. Shred logs, generated by data-erasure software, are supposed to prove irreversible deletion. But experts warn these logs can be faked. ‘They’ll show you what you need to see so you’ll make your payment,’ Hopkins says. ‘You’ve got no way to verify any of these things.’ A 2025 Trend Micro report notes that ransomware groups often use ‘false shred logs’ to trick victims, exploiting the complexity of data erasure to maintain trust. This lack of verification forces companies to weigh the risk of paying against the risk of data exposure, with no clear guarantees either way.
Trend Connection: Ransomware as a Service and the Rise of Cybercrime
“They’ll show you what you need to see so you’ll make your payment. You’ve got no way to verify any of these things.”
The Canvas hack fits into a broader trend: ransomware-as-a-service (RaaS) models have made cybercrime more accessible. According to a 2025 International Telecommunication Union (ITU) report, ransomware attacks rose 120% globally in 2025, with education sectors being a top target. ‘The problem isn’t just about money,’ says ITU analyst Maria Lopez. ‘It’s about the systemic failure to secure critical infrastructure.’ This trend highlights the need for proactive cybersecurity measures instead of reactive payments. The growth of dark web marketplaces, where stolen data is traded and ransomware tools are sold, has fueled the spread of attacks. For example, the 2024 ‘Dark Web Ransomware Market’ report by Cybersecurity Ventures found that over 70% of ransomware attacks now use RaaS platforms, lowering the barrier to entry for cybercriminals.
The Unseen Cost: Beyond Financial Loss
While the immediate cost of a ransom is clear, the long-term consequences are often ignored. Companies that pay may face reputational damage, regulatory scrutiny, and higher insurance premiums. For instance, after paying a ransom, the University of Texas San Antonio had to address defaced login pages and delayed assignments, affecting student trust. ‘The real cost is the erosion of institutional credibility,’ says cybersecurity professor Emily Carter from the University of Melbourne. ‘This isn’t just about money—it’s about trust in digital systems.’ A 2025 Ponemon Institute study found that companies that paid ransoms faced an average 22% increase in insurance premiums and a 15% higher risk of regulatory fines compared to those that didn’t. These hidden costs show the broader economic impact of ransomware, extending beyond the initial payment.
- What happened during the Canvas ransomware attack?
In May 2026, Instructure’s Canvas platform was targeted by ShinyHunters, a ransomware group that threatened to leak 3.6TB of student and staff data from 275 million users. The hackers demanded payment to prevent data exposure, but Instructure did not confirm whether a ransom was paid. - Why is paying ransomware groups controversial?
Experts like Darren Hopkins argue paying ransoms is a 'risk-based decision' but risks encouraging criminal behavior. A 2023 IEEE study found that data theft raises ransom demands, with victims paying 3 to 50% more when sensitive information is involved, as seen in the Canvas case. - Can companies trust data destruction logs from ransomware attackers?
Instructure claimed to receive 'digital proof of data erasure' via shred logs, but experts warn these logs can be faked. A 2025 Trend Micro report noted ransomware groups often use 'false shred logs' to trick victims, leaving companies unable to verify data deletion. - How has ransomware evolved into a global threat?
Ransomware-as-a-service (RaaS) models have made cybercrime more accessible, with attacks rising 120% globally in 2025, according to the International Telecommunication Union. Education sectors are a top target, driven by dark web marketplaces selling stolen data and ransomware tools. - What are the long-term costs of paying ransomware?
Beyond the initial payment, companies face reputational damage, regulatory scrutiny, and higher insurance premiums. A 2025 Ponemon Institute study found that ransom payers saw an average 22% increase in insurance costs and a 15% higher risk of fines compared to non-payers.
- theguardian.com | Canvas hack: is it ever a good idea to pay a ransom, and what happens to the data?
- bbc.com | Canvas hack: Company pays criminals to delete students stolen data
- kqed.org | Canvas Hack: Instructure Agrees to Ransom Deal in Exchange for Stolen Data
- insidehighered.com | Instructure Pays Ransom to Canvas Hackers
- cybermagazine.com | Canvas Hack: Why did Instructure Pay Ransom to ShinyHunters?
- theregister.com | Nobody believes the criminals and scumbags who hacked Canvas really deleted stolen student data
- books.google.com | Ransom War: How Cyber Crime Became a Threat to National Security
- sciencedirect.com | Ransomware: to pay or not to pay?
- ietresearch.onlinelibrary.wiley.com | Evolution of ransomware
- cybersecuritydive.com | Canvas owner reaches agreement with threat actors after data breach
