After a week of outages, hundreds of millions of students’ data stolen, delayed assignment due dates, and school login pages being defaced by hackers, US tech firm Instructure – which operates the education platform Canvas, used by education providers worldwide – announced it had “reached an agreement with the unauthorised actor” behind the ransomware attack.

Experts read the careful language as a sign that a ransom has been paid. The company has not confirmed.

The question of whether firms should pay ransomware attackers to regain access to their systems, and potentially prevent further harm from the release of personal information of – in some cases millions – is one that thousands of companies face each year. Although governments across the globe advise against it, many ultimately do.

The hacking group ShinyHunters claimed responsibility for the attack on Instructure. They had threatened to leak the reported 3.6TB of data – comprising of student ID numbers, email addresses, names and messages from 9,000 schools and 275 million students and staff worldwide – unless the company paid the ransom.

In Australia, more than two dozen universities and public and private schools in several states were victims of the attack. RMIT and UTS were among those to grant extensions on assignments as frustrated students were unable to access the portal.

Instructure later confirmed that the hackers had exploited a vulnerability in its Free for Teacher software that allowed them to deface login pages, such as that for the University of Texas San Antonio, to alert users to the breach.

The company said this week that the data was “returned” to it as part of the agreement it reached with the hackers, and also that they were shown “digital confirmation of data destruction” via shred logs – a technical report that is generated by a program that processes data to be destroyed in a way that makes it no longer recoverable.

“While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company said last week.

The head of cyber at cyber forensics accounting firm McGrathNicol, Darren Hopkins, says Canvas’ statement was “well crafted [in a way] that doesn’t necessarily admit anything but also does demonstrate that they’ve got an agreement”.

“ShinyHunters is an extortion group,” he says. “This is what they do. What other agreement will they come up with?”

Aegis Cybersecurity expert Luke Irwin estimates that based on reported ransom demands of US$10m, it’s possible Instructure – or its insurance underwriter – paid somewhere up to that amount, but says it’s also possible it was negotiated down.

“Instructure is dealing with a criminal organisation, and you are taking them at their word that they will commit to those outcomes,” he says. “That is a risk-driven position Instructure needs to work within.”

To pay or not to pay?

Most governments advise against paying ransoms, including in the UK, US and Australia, but outright bans are rare, tech firm Akamai says in its 2025 ransomware state of the industry report.

“If ransoms are not paid, then the effectiveness of the attack vector is reduced and potentially becomes less attractive to hacker groups,” the report stats.

In Australia, it could be a criminal offence to pay an attacker that is designated under the autonomous cyber sanctions law. The sanctions office says it will consider any payment made “on a case-by-case basis” as to whether it is referred for a prosecution.

Payments could fund other criminal activities, and ultimately there is no guarantee that paying a ransom or extortion would prevent the release of data or end the threats, Akamai says.

Under Australia’s mandatory reporting obligations that commenced at the end of May last year, 75 businesses with turnovers of at least $3m a year had paid ransoms as of the end of January 2026.

The government does not disclose how much was paid. A McGrathNichol ransomware report from November surveyed 800 executives from Australian businesses with 50 or more employees, and found the average amount paid in Australia was $711,000, down from $1.35m the year before.

The report found 64% decided to pay a ransom and 81% of businesses say they would hypothetically be willing to pay a ransom.

Hopkins says businesses are getting better at preparing for a cyber-attack, meaning they are less likely to need to pay to get hackers to unlock the locked systems. Instead, businesses were more focused on trying to stop further harm by paying the hackers releasing the data.

“Canvas was interesting because we all suspected [Instructure] engaged with the threat actor very quickly because they were on the leak site and [the posting] got removed from it.”

‘How honest is that criminal?’

The question Hopkins gets asked in board rooms across Australia, when training businesses on cyber-attacks, is: Will making a payment stop data being exposed?

“That question around ‘how honest is that criminal?’ comes up all the time,” he says.

“The business model [of hackers] needs them to show that they’re honest because no one would ever pay them. So it’s a big trust factor.”

Irwin says it is in ShinyHunters’ interest to act in good faith as an example to other organisations who may be compromised, so future victims would be more inclined to pay.

However, Hopkins adds: “You can’t rely on them to not be what they are, which is criminals”.

“They’ll go off and give us screenshots saying ‘here’s us deleting things’… you don’t know if they’ve made a copy, or what they’ve done beyond that,” he says.

“They will show you what you need to see so you’ll make your payment, and you’ve got no access to validate any of these things.”