Following a significant cyberattack on its widely utilized Canvas learning management system, education software provider Instructure has reported that it reached an agreement with the responsible hackers to recover its stolen data. While the specifics of this arrangement remain undisclosed, cybersecurity experts speculate that it likely involved a substantial ransomware payment. This incident has reignited discussions around the ethics and implications of paying cybercriminals in order to halt attacks. Although the FBI strongly advises against making such payments, research conducted by Absolute Security shows that a notable 58% of Chief Information Security Officers (CISOs) would consider doing so in similar situations.
### What Happened in the Canvas Cyberattack
Instructure revealed that the cyberattack occurred on two separate occasions, April 29 and May 7, resulting in an outage of its Canvas platform, which serves thousands of educational institutions worldwide. This breach disrupted critical services as the platform is essential for managing assignments, distributing course materials, sending messages, and grading students. Alarmingly, the attack also exposed a wealth of personally identifiable information, which included names, email addresses, student ID numbers, and private communications between students and educators.
The group that claimed responsibility for this breach, known as ShinyHunters, stated that it had made off with an extensive 3.65 terabytes of data belonging to Instructure, affecting around 275 million users from nearly 9,000 educational establishments. In response to the crisis, Instructure publicly announced on May 11 that it had successfully struck a deal with the hackers and assured its users that Canvas is now fully operational and secure.
### To Pay or Not to Pay — That is the Question
In the wake of the settlement, reports surfaced that the threat actors returned Instructure’s data, deleted all copies, and committed not to engage in further extortion attempts against the company’s clientele. However, experts such as Michael Klein, the senior director for preparedness and response at the Institute for Security and Technology, have raised flags regarding the reliability of dealing with cybercriminal groups. Klein emphasized that trusting cybercriminals is inherently risky; the possibility remains that they may still turn to extort others in the future.
Citing research indicating that a staggering 93% of victims who opted to pay their attackers still faced data breaches, Klein highlighted the inherent risks involved in such decisions. Additionally, 83% of these victims reported being attacked again, raising significant questions about the effectiveness of satisfying ransom demands. Notably, organizations may weigh the decision to pay a ransom based on their operational needs; if failure to secure the stolen data could jeopardize their survival, or if operational interruptions and reputational damage would cost more than the ransom itself, they may find themselves having to reconsider.
The risks become even more pronounced in critical scenarios, such as healthcare facilities, where human lives may be directly endangered. Law enforcement agencies, including the FBI, take a firm stance against settling with ransomware operators, asserting that doing so contributes to the perpetuation of cybercrime and often leads to additional extortion attempts. They warn of potential double- or triple-extortion attacks, whereby hackers escalate their demands after the initial payment.
While directing ransom payments is generally permissible within the United States, transferring funds to specific sanctioned nations and groups is illegal. In 2021, the U.S. Treasury Department cautioned that making ransom payments benefiting such entities could result in civil consequences.
### With Further Extortion Attacks Possible, FBI Urges Vigilance
In a statement released on May 15, the FBI underscored the importance of vigilance for educational institutions and individual users in the aftermath of the ShinyHunters breach. They cautioned that these hackers could launch additional extortion campaigns leveraging the sensitive data they acquired. Such campaigns could take the form of sophisticated spear-phishing efforts, designed to manipulate victims by employing real-world context to create a sense of urgency or fear.
The FBI also highlighted that ShinyHunters often resort to escalating harassment tactics to coerce targets into compliance, utilizing threatening emails, phone calls, and even more severe means, such as swatting. Additionally, the group may falsely claim possession of damaging or sensitive material related to their targets.
As a proactive measure, the agency has encouraged organizations and individuals to report any suspicious communications to the FBI’s Internet Crime Complaint Center or to consult their local FBI offices.
In summary, the Canvas cyberattack serves as a stark reminder of the risks posed by ransomware and the complex decisions organizations must navigate in response to such threats. The ramifications of these attacks can extend far beyond immediate financial costs, impacting user trust, operational integrity, and even the safety of individuals.