https://www.nytimes.com/2026/05/12/us/canvas-instructure-hac..., https://archive.ph/HIkdn
https://www.nytimes.com/2026/05/12/us/canvas-instructure-hac..., https://archive.ph/HIkdn
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
[1] https://www.youtube.com/watch?v=IeTybKL1pM4
[2] https://search.brave.com/search?q=monero+price&rh_type=cc&ra...
The very next line from what you quoted:
> We received digital confirmation of data destruction (shred logs).
Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
Instead, they trick the hackers into going on a vacation in a country that will let them grab them.
If you’re sending a large sum of money to $anonymoushacker, how do you ensure they’re not on some OFAC list? Or do your AML checks? Or make sure you’re not on the wrong side of Foreign Corrupt Practices act? The third party probably turns a blind eye to that cuz there’s no way of really checking.
Protecting pii is important, but it's not that important
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
The day the USD falls, ransoms will simply be denominated in something else and the same underlying collective action problem will remain.
This is just way of avoiding the core issue by blaming something unrelated that you don't like.
A: U should clean your room, it would be better for you & the rest of your family
B: FU dad, everyone knows there's no such thing as a clean room under capitalism!!!!!
You're then a target known to be vulnerable and pay ransoms, so best focus on security.
For any individual within the ransom group, they can get a big payout by selling the data.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
Realistically, the only people that could check that it's true are buyers, and those benefit from keeping a low profile
What could go wrong? ;)
0: https://wiki.roshangeorge.dev/w/Benevolent_Terrorist#Poisoni...
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
Although of course returning is a weird term in the sense that the attackers will almost certainly keep the data as well.
This is shockingly naive
Hmm. I thought all these agencies say NOT to pay a ransom.
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
Cider9986•16h ago
(https://www.instructure.com/incident_update#:~:text=STATUS%2...)
dang•1h ago