Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suit

Experts have warned about the risks of paying ransoms after Instructure bowed to cyber criminal demands to avoid having stolen data published online.

The move comes after Canvas, a popular academic learning platform developed by Instructure, was breached by the ShinyHunters threat group last week.

More than 9,000 academic institutions across the US, UK, Canada, and Australia were impacted by the breach, which saw roughly 3.5 terabytes of data stolen by the ransomware group.

The move by Instructure marks the latest in a string of examples where organizations have chosen to play ball with hackers in the wake of a ransomware attack.

Latest Videos From

It’s a contentious topic for many in the security industry, and a tactic that is surprisingly common. Research from Absolute Security, published today, shows that more than half (57%) of CISOs would consider bowing to hacker demands to end a ransomware attack.

A key factor behind paying up, the study noted, lies in shortening potential downtime due to ransomware attacks. Nearly half (46%) ranked operational downtime as the most significant aspect of an attack.

To pay, or not to pay

The question of whether to pay up or not is a catch-22 for enterprises. Jeff Watkins of Leeds-based consultancy, NorthStar Intelligence, told ITPro that paying may appear to make sense for many given the potentially disastrous effects of data leaks.

“Paying cyber criminals may seem like a rational choice to avoid future data leaks, and in ransomware cases, where restoring from backups is not simple/feasible, it is often seen as necessary for business continuity,” he said.

Watkins pointed to the British Library attack in late 2023, which saw the institution refuse to pay a ransom. Hackers behind the attack subsequently released 500,000 files and recovery took several months – and at great cost.

Put simply, paying up often represents a small financial hit compared to the broader costs associated with recovery. Research last year, for example, found the average recovery cost for ransomware victims stood at $4.5 million.

But this tactic rests on trusting that the cyber criminals in question honor their side of the bargain, according to Watkins.

“There are risks involved in paying up, though,” he told ITPro. “There is that old adage, ‘there’s no honor amongst thieves’, and there is a risk that you simply lose your money, or they come back for more before deleting the data, providing a decryptor, or suppressing publication."

The Change Healthcare attack is a prime example of the risks involved with paying up, Watkins noted. The healthcare firm paid a $22 million ransom to the ALPHV/BlackCat group after a devastating 2024 attack, and they simply made off with the money.

RansomHub, an affiliate of ALPHV/BlackCat, still held data stolen in the breach and re-extorted the company.

Legal and moral ramifications

In addition to the operational considerations at play for enterprises, there are legal and moral ramifications.

The UK’s National Cyber Security Centre (NCSC) has been vocal in advising victims against paying up, while the US Cybersecurity and Infrastructure Security Agency (CISA) takes a similar stance.

In 2025, the UK government unveiled proposals aimed at banning ransom payments by public sector and critical national infrastructure (CNI) operators.

At the time, the government said the ban would “target the business model that fuels cyber criminals’ activities”.

Gary Barlet, public sector CTO at Illumio, said paying a ransom is often viewed as an “incentive for bad behavior” and simply places a bigger target on the back of those already affected by an attack.

“Cybersecurity professionals caution against this, because it signals to other threat actors that an organization is willing to pay if they can manage to steal data,” he told ITPro.

“Professionals worry that threat actors will then attempt to gain access to the same systems and demand even more in payments.”

Watkins echoed Barlet’s comments on threat actor incentivization, adding that choosing to pay effectively funds organized crime.

“This isn’t intended to be a criticism of the victims, as organizations pay because the choices are often ugly, not because they trust the criminals,” he said.

“They often face operational paralysis, patient/student/client harm, contractual penalties, regulatory exposure, reputational damage, and recovery costs far exceeding the ransom demand,” Watkins added.

“However, for as long as we allow organizations to pay ransom, the problems will escalate.”

Light on the horizon

There are positive signs that enterprise policies on ransomware attacks are changing, with many now refusing to play ball. As ITPro reported in August last year, research from Databarracks found just 17% of UK businesses paid ransoms in the wake of a breach.

This marked a steep decline compared to the year prior, in which more than a quarter (27%) opted to pay to recover stolen data. In 2023, nearly half (47%) chose to pay.

Enterprise backup strategies have helped on this front, the study noted, with victims choosing to recover instead of paying. More than half (57%) recovered data through backups after an attack across 2025.

Notably, Databarracks found enterprises are now three-times more likely to recover from backups than paying hackers, highlighting an increasingly tough approach.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.