A day after Instructure CEO Steve Daly said his company had reached an agreement with the hackers behind a breach of its global Canvas education platform, the hackers themselves have released their own statement of confirmation.
“Due to the public looking for confirmation from us regarding the recent resolution: We have nothing to add on or comment regarding the recent situation at the LMS company,” the ShinyHunters group said in a 13 May press statement on its dark web leak site.
“If you are an impacted institution, we are not seeking your money. Please halt all attempts to reach out to us, the matter has been resolved.
“The Company and it’s [sic] customers will not further be targeted or contacted for payment. The data is nonexistent.”
On 11 May, Daly said in a statement that Instructure understood “how unsettling situations like this can be, and protecting our community remains our top priority”.
“With that responsibility in mind, Instructure reached an agreement with the unauthorised actor involved in this incident,” he said.
Daly said all stolen data had been returned, and the hackers confirmed that the stolen data had been “shredded” on their end. Daly also said the hackers confirmed that no other Instructure customers would be extorted.
“This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorised actor,” he said.
Did Instructure pay a ransom?
Daly did not mention if a ransom had been paid to the hackers, but did note that “complete certainty” in such dealings is impossible.
What he did say, however, was that it was essential to “take every step within our control to give customers additional peace of mind, to the extent possible”.
Which begs the question: Does “every step” mean Instructure paid ShinyHunters to remove the data and cease any extortion attempts?
True to its apparent word, ShinyHunters has removed all reference to Instructure, Canvas, and the thousands of schools and other institutions it claimed to have breached. In fact, the response of the hackers is entirely in line with their own claims regarding what happens once a ransom has been paid.
“Once we come to an agreement and finalised [sic], the data is deleted and you will not be listed on this site,” ShinyHunters said on its leak site under “What happens after resolution?”
“We never attack you nor contact you again.”
That, at least, is the promise. It remains to be seen if ShinyHunters can be trusted.
Is it a good idea to pay a ransom?
One of the issues with giving in to a ransom demand is that, essentially, you’re providing a reason for the criminals to continue targeting other victims, according to Gary Barlet, public sector CTO at breach containment firm Illumio.
“Paying a ransom demand is seen as an incentive for bad behaviour,” Barlet told Cyber Daily.
“Cyber security professionals caution against this because it signals to other threat actors that an organisation is willing to pay if they can manage to steal data. Professionals worry that threat actors will then attempt to gain access to the same systems and demand even more in payments.”
However, when a large amount of sensitive data – not only yours, but that of your customers and stakeholders – is involved, paying up may seem the only sensible option.
“While there is always the option not to pay any ransom and potentially utilise operational means to get systems back online, this doesn’t account for the mass amount of data that was stolen,” Barlet said.
“This puts millions of users and other institutions at risk with potential data leaks. While organisations can always do a better job before the attack encrypting data, once systems are infiltrated and data is stolen, options become limited, and consequences increase exponentially.”
“Organisations [that] are victims of ransomware can either pay or take the bullet, but the real victims are the customers. Unfortunately, similar to supply chain attacks or third-party attacks, users at large don’t get a strong say in the decision.”
Barlet also noted that while it may be tempting to start looking for someone to blame, that temptation will not yield any useful outcome. Organisations recovering from a ransomware or cyber extortion incident must look deeper.
“As more details come out, there will inevitably be pressure to pin this ransomware attack on a single person. That misses the point. Incidents like this are almost always the result of structural gaps, not individual failure,” Barlet said.
“The real question organisations should be asking is whether their environments were built to limit blast radius once an attacker got in. Segmenting networks and isolating high‑value assets is what determines whether a breach becomes a disruption or a crisis.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.