Years ago I attended a conference that had a "fireside chat" with a DoJ official on the topic of these types of ransom payments.
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.
Instead of paying ransom, and creating a ransomware criminal industry out of thin air, its better to force companies to recover and restore from backups and remove monetary incentive for crime.
and the executives who failed to carry regular backups obviously should face the music
At least those are mainly going to be adults. In the case of Instructure, there are many K12 school districts using Canvas as well. They are potentially selling lists of underage children along with where they live, and contact info like email and phone number.
These are going to be people with clean credit histories to exploit, and ideal for using as ghost students.
Our PII is leaked all the time. I am fed up with various businesses sending me a free credit monitoring subscription in lieu of actually having proper security controls or damages that incentivize viewing the issue as a serious going concern risk.
Leaks are inevitable, but the current situation is absurd. The liabilities and incentives to do anything about them are virtually nonexistent and security is almost always viewed as a cost.
I’m tired of it being my problem to fix. You should be able to know everything about me and still not be able to get accounts/credit/whatever in my name.
Was it really a problem? Yes, voluntary release of that info by a school would normally likely be a FERPA violation, but this was a criminal act against a third party.
Infrastructure’s motivations must have lain elsewhere…
Who would of thought paying teenagers millions of dollars in crypto was a good idea?
They'll just use it on more exploits, more nonsense. It's a race to the bottom.
Sister group, Lapsus$ (parent group ShinyHunters) has published on their website they will pay for inside access to company networks. The group says they don't want data, they just want an avenue.
This is what happens when we keep paying these criminals millions in hard-to-trace crypto.
How is it not a violation of AML laws to pay a ransom like this? Surely they didn't verify that the recipient (a criminal) isn't sanctioned or associated with sanctioned organizations.
Money laundering is the action of obfuscating the origin of criminal proceeds; victims or clients of criminals do not generally commit money laundering, for example buying drugs is not a form of AML violation regardless of the legality of the purchase itself or the fact that the funds will later be laundered by the traffickers.
KYC is a tool to prevent money laundry and it's typically an obligation of financial institutions. Sending money to an anonymous (to you) recipient is generally not a KYC violation if you are not in the money transmitting business and you aren't doing the payment on behalf of someone else.
There are infinite shades of gray in this topic, of course, but I can't see AML being relevant in this particular case.
I think they mixed up sanctions (and any similar laws w.r.t. legal recipients) with AML laws. The legality of paying sanctioned entities doesn't depend on whether the money was laundered, but they were interested in how people get around the former.
How exactly would this fall into the purview of AML? As far as sanctions go the burden of proof would be on the government to prove the money went to a sanctioned entity and Instructure isn't a bank subject to KYC requirements.
All my corporate AML training says that not performing some KYC for large payments, directly or through a bank, is a crime in its own even if the recipient isn't sanctioned.
From Claude, maybe it's a little nuanced compared to conservative corporate policies, but doesn't feel very legal: "You can be charged with money laundering (18 USC 1956/1957 in the US, equivalents elsewhere) if you knowingly — or with willful blindness — process proceeds of crime. "I didn't ask" is not a defense if the circumstances were suspicious; deliberately avoiding KYC to preserve deniability is exactly what willful blindness doctrine targets. The recipient doesn't need to be formally sanctioned; the funds just need to be tainted."
Even if it already is, the DoJ can exercise discretion in choosing who to prosecute. There has to be political will to threaten an org who has just suffered from an attack with further consequences if they make a payment.
Probably not too relevant but off the top of my head, the New Zealand Government's guidance on ransomware payments is that you could technically be fined if you pay a ransom to an entity in a sanctioned country, although it doesn't go into specifics
Is it illegal to pay kidnappers in the united states? I've never heard of this and I can't seem to find anything that says any such law has actually been passed.
It's technically not illegal, but often is. You can't pay terrorist organizations or specially sanctioned orgs. See https://sanctionssearch.ofac.treas.gov
Probably should consult an attorney before paying a ransom (whether for kidnapping or other purposes).
Extortion and terrorism seem similar in many ways except the latter involves physical harm.
I’d asssume a company paying money to terrorists shouldn’t be acceptable.
It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.
Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
>It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.
You are paying an extra fee for not testing your own software and infrastructure. It was instead tested by a third party. Be glad it wasn't tested by a nation state actor or someone who wanted to do more harm to your customers than just asking for money.
Ideally they should now secure their infrastructure and take this as a gentle reminder that they should spend more on security.
>Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
You would hope they would then upgrade the cardboard.
When you frame it like that it sounds like the thieves are doing us a favor. Except it should be heavily fined and jailable for the entire executive team and maybe the board too.
The issue is that anything a hacker can do publicly a state actor can do silently.
Its a boon to both the company and the country when a hacker makes a big public deal out of it. Because they get the chance to repair something before its intentional damaging misuse by a hostile state actor.
The hackers here deserve every cent plus possibly more.
And theres always the problem that the hackers would still get paid, they just wont report the payments making tracking difficult.
Calm down, extremist. There's a difference between someone doing something vs someone paying someone else to stop doing something. If the latter were truly bad then the same should be applied to people handing over their wallet to muggers. The only difference in that scenario and the above is saving yourself vs saving a family member. Would you really deny people the ability to save their loved ones?
> then the same should be applied to people handing over their wallet to muggers
Not really. Muggings are both more common and less traumatic than kidnappings. This is reflected in the fact that common and maximum sentences for kidnappings are universally more extreme than those for muggings.
> Would you really deny people the ability to save their loved ones?
...yes. Because it means significantly fewer kidnappings. "Deny people the ability to save their loved ones" is tantamount to "help others to lose their own."
> You decide it should be criminalized before you identify any harms?
No. We have a measure of the harms. We haven’t balanced them for sentencing. Again, deciding something should be illegal doesn’t require obsessing over the sentence ex ante.
> Maximum sentence for mugging is 30 years
Not the norm, either for maximums [1] or usual sentences.
Maybe, but it’s harder to profit from it. A firm may be reputationally damaged, but what’s the incentive to cause that damage?
I think the Bloomberg Odd Lots guy wrote a blog post on this: you could attempt to short the stock but a) this leaves a paper trail b) the market might not know about the breach or believe you if you post you’ve done it. IIRC some hackers have tried to tell companies that they are legally required to disclose the breach to their shareholders to force market movements.
How much value is in the data. It is embarrassing if some kid gets a D in class, and shouldn't be public - but most of the people who care already know or have ways to find out.
Not sure sanctions are a relevant reason not to pay here. We don’t know where everyone involved with ShinyHunters is located, but those arrested in the past have been American and French.
Americans and French (and most other "first world") countries will investigate and arrest anyone involved. It doesn't matter if foreigners are the only victim, most countries do not want their citizens involved with this and will send anyone caught to whatever country was affects for criminal prosecution.
Russia, and North Korea are the main names that come up as exceptions, they will protect their own people.
Americans are more kidnapped globally when we look at a equal distribution of population (i.e. in the same pool in a generic country, Americans are more likely to be kidnapped (according to the James Foley Foundation).
Europeans are more likely targets in Africa due to our presence there (mostly NGOs).
The differences will be statistical, not motivated by a no-pay policy.
Not that I disagree but it also incentives attackers to steal and resell data to other nefarious actors.
After all a lot of the data companies have isn't their own, it's their customers. They are the ones who suffer because businesses don't bother securing their crap.
on one hand, every ransom paid encourages like-minded individuals to start or ramp up their ransomware game , which is not great.
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
This is always the game theory of ransoms, and it is a classic example of a collective action problem (and is a form of a prisoner's dilemma).
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
If you have to pay, at least try to negotiate 1) a guarantee that the hackers won't just do it again sometime later, and 2) full disclosure / assistance in repairing your vulnerabilities so you have some kind of head start for the future. Outside of politically motivated hackers, this would probably be reasonably successful.
We are in the context of already having to pay. You are at their mercy no matter what, so the only value of any interaction with them is based on hoping they have incentive to maintain their promises to protect their reputation etc.
It's not a good situation to be in, but still, try to make the best of it.
There’s a similar dynamic from within the hacker group itself. For the ransom group, it is better for them to be perceived as trustworthy. Pay the ransom and we won’t leak your data.
For any individual within the ransom group, they can get a big payout by selling the data.
Depends on what they actually got. Names and email addresses? Considered public and are not so valuable. Universities usually publish those in a directory anyway.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
SSNs have been used as student IDs by particularly stupid educational institutions. The 'nice' thing about getting SSNs from students is the likelihood they'll live for a long time after the breach and thus be subject to identity theft for many years to come.
My university stopped putting SSNs on student IDs more than 25 years ago. I'd be surprised if there are many who still do that.
Though I wouldn't be surprised if some 40 year old university IT system requires its use as an identifier, regardless of whether or not it gets printed anywhere.
I have trouble imagining that a ransomware group would care about a regulation like FERPA when they've already done something criminal that would more than enough for prosecution if they got caught.
Those laws reduce the value though - "honest" people who are interested in such data won't be interested it from ransomware because they need to have legally obtained data. That is there are a lot of "honest but shady" uses of this data that are stopped by these laws.
I didn't mean that the ransomware group would care... but if they got grades, that might command a higher ransom than if they just had names and emails and other non-very-sensitive stuff.
Wow. A lot of K-12 students probably don't even know their own SSN off the top of their head, much less understand the impact of having it stored in this way. I can't fathom why it would be necessary for the SSN to be tracked by the school. At most, the school district as a whole might want a record so they could make sure kids are getting schooled but putting that into Canvas doesn't make any sense to me.
Agreed, seems wild to me that anyone in 2026 is using SSN as an identifier in a system that's not doing some kind of tax reporting. It's kryptonite for any other purpose.
Oh, it's insane and I recoiled when she mentioned that.
But it is 100% happening.
People do amazingly stupid things with systems, especially when they don't have enough people with the expertise to set them up properly, so they just throw things in there without stopping to think about whether or not it's a good idea.
I'm guessing that Canvas just sort of lets you put in whatever data you want, and someone evidently decided that putting the student's SSNs in there made sense...
It's not required. I don't know precisely what her district is doing or why - I don't work there But she unprompted brought up that a lot of the minors' PII was in there including SSNs.
It would be nice if system owners stopped thinking "we'll just ask for all the info in case we need it" and instead "we might get sued (or ransomed, or both) because we are collecting this."
I don’t know if that’s really true. Nobody would really give a shit if you leaked where everyone goes to college… because it’s already on their LinkedIn or whatever.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
You are leaking email addresses that likely otherwise wouldn't be out there publicly. Whilst email addresses and names are "effectively" public, they aren't just in a one big database anyone on the planet can access.
Every single one of those email addresses will receive increased spam and phishing attempts, with more isolated information (such as School, First+Last Name, Subjects, Teachers/Lecturers, etc) the phishing attempts can be more refined.
i.e, Student receives an email that looks like its from their school (has email footer, has student name, has relevant teacher name, subject name, etc), the user is now more likely to click some sketchy link.
These little identifiers add up, especially when cross-references with other leaks. Even more problematic when most of the users wrapped up in a leak like this are under 18 too.
A lot of this stuff could be done previously, although the effort and scale to do so would of been higher/harder.
You can also have the "excessive force" doctrine, where holding someone or something for ransom results in your entire country being a smoldering crater.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
A fine or sentence is probably on the books but it never comes to that. The main thing is to freeze the family's assets, and more importantly to publicize this procedure so the mafia or whoever knows there's no point in threatening the family.
So long as the potential payer knows they will get something they are going to slow down. They might pay, but suddenly becomes harder because they have to hide what they are doing. Many won't figure out how to pay.
The real value though is enough people consider themselves honest and won't do anything they know is illegal. They already hate dealing with criminals, but so long as paying is legal they might do it, but as soon as it affects their moral code they won't. The whole system collapses because just a few people saying no to paying means the kidnappers lose money on too many operations.
... except that "policies" don't cut it. Criminal penalties for paying are what you need, and not just for payments to specific designated entities, either. The executive making the decision to pay has to have a real fear of personally spending time in actual prison.
... but not the form of policy they actually have.
Except for payments to specifically sanctioned organizations, the policy is "we'd really rather you didn't do that, but whatever".
The specific sanctions don't cover most of the groups, either, and even when they do cover the group who got paid, you can't necessarily prove the people who got paid were the ones on the list. And there may be a scienter requirement even then; I don't know.
Making a list of specific criminals you can't pay is just stupid. No ransoms, ever, period, or it's da slammah.
The obverse is true - because a ransom organization is dependent upon their reputation, a company claiming to have paid and received confirmation from the group could prevent them from releasing it as well.
The general public (including the next victims) don't have a way to confirm if payment was made. ShinyHunters would have to choose between arguing publicly that they were not paid or not releasing the data to protect their own reputation...
Good/funny observation. Game theory and economics are fun. :D
I do think that the partial information problem relating to new entrants into this market is interesting though.
The number of potential threat actors with partial/no information but that might speculate based on grandiose visions of ransom or outdated history is high.
We see dumb attempts at real-world ransoms/extortion which don't get paid at a pretty high clip based on this kind of partial knowledge.
It's an interesting idea, although I think in the heat of the moment, the last thing your org should be thinking of will be playing games with one of the most prolific hacker groups on the planet.
You'll probably get your data leaked anyways, potentially get compromised again (see Instructure situation) and end up in a way worse place if you just shut up and paid it, or let it leak normally.
While the us stance has resulted in savings on potential ransom, it has also lead to people being kept in prison for very long time until prisoner exchanges might be worked out. That cost to an individuals life being imprisoned is probably far in excess whatever the US might pay. Plus the US prints its own monopoly money and doesn’t really play by the rules of economics anyhow ever since getting off gold standard.
This is literally the exact point I am making, and the US policy isn’t about saving money.
Like you said (and like I said in my post), for an individual kidnap victim, the best option would be to pay the ransom. It is better to pay the money and be free.
However, that means a kidnap group now has more money, which will make them better able to kidnap another victim and demand more money.
The point of a “no ransom” policy is that it takes the choice away from the individual, who would choose to pay it, and changes the game theory to make kidnapping not worth it.
The whole reason you need a policy at all is BECAUSE it is better for the person to pay the ransom.
I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
> I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
This is the same problem that crypto addresses in an unregulated market - it provides attestation and continuity, but not much else.
New actors are untrusted. Trust must be built through small transactions until someone trusts you enough for larger transactions. Survive long enough without major reputational harm and you can even offer to act as an escrow service for parties with less trust.
The name ShinyHunters is currently quite well-known due to a number of high-profile hacks (Odido in the Netherlands this year was huge). Their brand has a significant value right now.
Because ShinyHunters published they hacked Canvas on their own website.
They also redirected the canvas login pages to a ShinyHunters message, whilst this could be done by another group/person, its unlikely.
You can also validate PGP keys and TOX accounts, etc via their website.
That's a motivation to avoid tragedy of the commons, not because they're trying to maintain their own reputation to victims. It benefits the criminals even if they change their name.
If we assume a world where ransomware is continually existent and all your data is ransomed at anytime, we'd have a world designed to work around that.
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
An idea I idly thought about is that of a "Benevolent Terrorist"[0]: one who does great harm to some number of people so that they may make it to a better world. Not entirely original, I suppose, since the Kwisatz Haderach from Dune is the trope definer. But a fun thought I had was what if you ran a ransomware company that just didn't pay? You'd screw a lot of people over but eventually you'd make ransomware a non-business the better you impersonated them and failed to deliver after taking the ransom.
Another way to view this calculation: if you keep your infrastructure secure and up to date, you (very likely) don't have to pay any ransom in the first place.
There is a line where the ransom price beats the capex of keeping a secure system, specially when the risk so nebulous
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
Paying a ransom should always be illegal with federal criminal charges for the employees who authorize the payment. If businesses are destroyed or people die as a consequence then those are acceptable casualties.
That operates on the idea that hacker organizations use long term strategic thinking, something the US government and a good number of corporations don’t even practice. I wouldn’t put my money on that.
while i am not about to bet the farm on the long-term strategic thinking ability of extortion groups, they are much smaller than most corporations and the US government, thus its much easier to think strategically and execute on longer-term goals.
shinyhunters, for example, has been active and acted as a cohesive unit for the past 7 years.
> on the other hand, the ransomware groups that want to stay in business need to be honest
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
one issue is that modern ransomeware groups are also being hunted themselves - there are many ransomeware orgs that are themselves being ransomed so are not reliable.
even if you pay the ransom to the 1st group, the 2nd group will leak.
So, maybe we could consider a "White Hat" ransomware group that takes the money and also leaks the data, so that long term no one bothers to pay which ultimately disincentivizes ransomware attacks?
LOL that's some super heavy duty optics framing on what basically amounts to "we paid out a ransom but don't worry the bad guys assured us things were okay"
They said “received digital confirmation of data destruction (shred logs)” - is this supposed to fool users into thinking the hackers didn’t keep any of the data?
I thought it was illegal to pay ransom to hackers. I guess it is legal or maybe it isn't very clear? I thought that there were certain conditions that the company had to check together with law enforcement so that at least the ransom money doesn't go to a hacker group that is on a government payments sanctions list.
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
Not only is it not illegal, there are insurance policies set up to take care of this very scenario. It's almost always handled by a third party, not the company themselves, that would deal with any such concerns.
It is illegal to pay terrorists. As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group. If they did, would they be able to send in SEAL Team 6 to handle the hackers?
> As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group.
If you’re sending a large sum of money to $anonymoushacker, how do you ensure they’re not on some OFAC list? Or do your AML checks? Or make sure you’re not on the wrong side of Foreign Corrupt Practices act? The third party probably turns a blind eye to that cuz there’s no way of really checking.
the people who do "AML checks" are the ones processing the transaction.
i don't do that every time i want to send money. private individuals don't just "run checks" - it would make commerce untenable and possibly unconstitutional.
say you get a passport, an address, a photo, a signature, a phone call - how do you verify any of this is real?
Cryptocurrency mitigates most of those concerns. That's why the flourishing of crypto payment systems has been an unalloyed blessing for cybercriminals.
No it does not. It makes some things harder and some things easier. The public ledger means you can track where then money flowed - you might not know who had it but you know how it flows which is interesting. I don't know if it has happened, but I've heard of proposals to make any bitcoin the traces to some transaction illegal to have, and that means nobody who might get caught will have anything to do with those.
If they were in Iran a drone would’ve paid a visit, based on current events. Most of them are in Russia or former Eastern Bloc like Belarus. USA and the west doesn’t want a direct conflict so the drones never pay them a visit.
Instead, they trick the hackers into going on a vacation in a country that will let them grab them.
It often is illegal to pay them. They are often on sanctions lists, or indeed in embargoed countries. And it's just generally not allowed to pay unidentifiable parties for basic anti-money laundering reasons. And a lot of countries are bringing in new legislation to make paying illegal, starting with public sector organisations. I'm sure that will only expand.
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
I don't know where you are getting your information from. For one, it's very often unknown, by virtue of how these groups operate, where they are from or who they are affiliated with in the first place. For two, as I stated, it is such common practice to pay ransoms that there are insurance policies specifically for doing so, it's very common to purchase these as part of a SOP of a company's security policy. A business is required, often by the board/shareholders, to maintain business continuity, which is why these exist.
For three, by the FBI's own source, they don't mention anything about it being illegal, they merely advise against doing so[0] -
> The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.
I am not saying I support paying ransoms, or take any position here, I am just saying quite factually it is an extremely common practice to pay these, often via third parties that take care of any potential legality issues (which I am not aware of being super common at all, and if you are being targeted by a nation state on a sanctions list, you probably are well aware and have your own legal team/police liasons to deal with any such issues). Most ransomware attacks come from small, unknown groups.
If the bad guys get paid and release the info anyway, they not only make it less likely they'll get paid in the future, they make it less likely anyone will get paid in the future.
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
In the abstract, it’s hilarious to imagine the hackers keeping the data, then some time from now leaking it accidentally (or another hacker group hacks them) then them having to issue a public apology for not having kept the stolen data secure and having lied about shredding it.
However, they could use it as a last resort or as a final "gift" before getting arrested or switching identities.
They might be considered "trustworthy" right now to get companies to pay them money, but no one will know what will happen in a few years when this strategy won't work anymore.
Anyway, I hope this doesn't come at all, or as late as possible.
> but no one will know what will happen in a few years when this strategy won't work anymore.
Good point.
> Anyway, I hope this doesn't come at all, or as late as possible.
Same. As I said, I find the idea funny in the abstract, if it didn’t affect anyone or if it were a TV show, for example. But since it does affect real people…
Hackers have an incentive to destroy the data as promised, because if it becomes a trend where the data is leaked despite the ransom being paid, no one would pay ransoms in the future.
Obviously this doesn't stop hackers from selling the data anyway and say "it wasn't us, someone else got the same data through a different hack".
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
This is a good time to point out that when there is a data breach, data is rarely stolen. The real threat and harm is when data that is stolen is used against you.
> You wouldn't "return" data unless it was encrypted or the originals were deleted
The very next line from what you quoted:
> We received digital confirmation of data destruction (shred logs).
Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".
A good infotech public service project would be to maintain a public list of organizations that have succumbed to ransom demands, so that we can choose to take our business elsewhere. It would also be an act of bravery though in the face of potential liability for libel. I doubt disclaimers would evade much of that.
ShinyHunters has a vested financial stake in not leaking the customer data. If they did, nobody would ever pay a ransom to them again. I trust ShinyHunters to look out for themselves continuing to get paid.
Sure. Do you trust every member of ShinyHunters to remain a member of ShinyHunters in good standing, and to resist the temptation to exfiltrate the data in the process of exiting ShinyHunters?
I would expect ShinyHunters to understand that traitors pose an existential threat to the group and to take measures to prevent a lone wolf from selling them out easily. That they have existed for 7 years already indicates they are probably not so amateur as to allow any individual member to walk off with data that would compromise their operation.
No, it actually doesn't, which is the problem. The market has shown that there are no financial consequences to any company that gets hacked. Instructure could have just as well not paid the ransom, as many companies don't, and continued to be fine. Even if they do pay the ransom, it is likely that it is less than it would have costed them to engineer secure systems, so even if you take paying ransoms as necessary market incentives still steer you to ignoring security.
Theoretically, if it happened before and the ransom wasn’t paid, there’s both an incentive by the service to improve their security practices and a disincentive on the hackers to target that business.
I wonder if, longer term, we're better off if a company like this were in some way destroyed as a result of getting hacked and paying a bribe.
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
I suspected as much as it disappeared from the ShinnyHunters page and it recovered so fast. The main thing I'm interested in knowing was how much was paid. Also I don't really like their statement that the data is safe or destroyed, those promises seem a little questionable with regards to these incidents.
How does things like this work in terms of bookkeeping? How do they label the expense? Can a company send huge amounts of money to an unknown crypto account without needing to explain anything to the tax authorities?
It's the insurance company paying the ransom and I assume they tie the payment to the insurance policy they are fulfilling, I don't know what the tax implications would be, I am not in finance or an accountant
I read online that it has to do with their "Free-For-Teachers accounts" which I assume is a way for teachers to get access to Canvas services for free when their school doesn't subscribe to it.
I don't know for sure, but I think it probably had to do with some kind of misconfiguration on an Salesforce Experience Cloud site. I have heard that ShinyHunters often exploits this type of service and that it is very easy for companies to forget to set the right permissions to data and they end up throwing a bunch of different data into Salesforce.
This blog post[0] suggests that, based on their changelog after the incident, the hackers may have extracted session tokens using XSS in a support ticket. Then the ransom note was displayed using a custom theme.
> Has law enforcement been engaged? Yes. We've notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.
Hmm. I thought all these agencies say NOT to pay a ransom.
Not always. They have been known to give "marked bills" to pay with in the past. A lot can be learned by watching how ransom money moves around (bit coin is very traceable this way). Sometimes paying a ransom is an important part of finding and arresting the guilty.
I would love to know the amount of ransoms paid by large companies who've been compromised without the public being informed. How much that undisclosed amount impacts inflation and the economy today is not talked about nearly enough, imo.
Everyone's making a lot of good points about game theory and economic motivations, but there is a much more important and self-serving point: when you pay a ransom, hackers come after your shit x10.
Paying a ransom signals 3 things:
1) you are vulnerable to attack
2) you cannot recover from an attack
3) you've got cash
The result is that you get attacked much, much more. You could ask me how I know, but I wouldn't tell you :)
This happens every day, and there doesn't seem to be anything interesting about this case. It's how most situations are resolved. There are money transmitters that specialize in ransoms. They "do" sanctions checks that are about as good as you suspect they are.
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
I've seen half a dozen comments in this thread suggesting that paying hacking ransoms should be illegal, but I strongly disagree, for multiple reasons. I'll just make this a top-level comment rather than picking one to reply to.
(1a) Multiple have suggested that the US made it illegal to pay kidnapping ransoms. This is a misconception. The US adopted a policy that the government itself would not pay ransoms, but explicitly noted this did not apply to the victims. "The U.S. Department of Justice does not intend to add to families’ pain in such cases by suggesting that they could face criminal prosecution."
(1b) Despite this policy, the US pays ransoms anyways. Usually in the form of prisoner swaps, but in 2023 it released $6 billion in frozen Iranian funds in exchange for the release of 5 hostages[1].
(2) The belief that paying ransoms should be illegal is predicated on the belief that criminals will be less likely to commit the crime if there is no money to be made. This may be true for kidnapping, but that does not mean it would be true for hacking. Kidnapping is a high-stakes, high-commitment crime that requires physical presence and exposes the criminal to significant danger. If the criminal anticipates no reward, the risk-reward calculus skews them away from kidnapping. However, hacking is a low-risk crime. Even if the chance of reward is low, the risk is also low, so hackers are unlikely to be deterred from hacking. Many hackers will do it just for fun or to prove that they can. Moreover, hackers can profit in other ways, for example by selling the data on the black market, or by making use of the data themselves as a nation-state or corporate espionage actor. Hacking will undoubtedly continue as long as things can be hacked, regardless of whether ransoms are ilegal.
(3) Making ransoms illegal pushes the burden onto people who have no real ability to do anything about it. When a company fails to pay ransom, it is the customers who suffer. It does not materially affect the company in any way to have customer data leaked. The market has already shown, overwhelmingly, that it will not punish companies that leak user data. That a company pays a ransom to begin with indicates that they don't actually understand the market and/or have some small shred of a conscience. Rather than making it illegal to pay ransoms, I would rather see penalties for having a data breach in the first place, but once a data breach is assured, companies should be paying ransoms to try to mitigate the damage to their customers.
(4) The idea of trying to solve hacking by making it illegal to pay ransoms is ridiculous on its face. As long as systems are insecure, hackers will exist, so the legal emphasis should be on consequences for data security. The collection of PII that is not essential to providing a service to customers should be discouraged, and there should be real consequences for negligent security. There should be an investigative board similar to those for airline crashes and infrastructure collapse, which examines the circumstances in depth and identifies whether the company is at fault for negligent handling of PII.
That's just not reality. Not least of which because competitors are exactly the same when it comes to security. Even if they weren't, security isn't something the market can realistically select for because it's not verifiable from a customer's perspective. A customer can clearly see, say, a price difference or feature difference, but cannot see a security difference in any meaningful sense. This is something that needs to be enforced at a regulatory level, there are many problems the free market cannot solve, and in fact market forces actively incentivize neglecting security.
The moral hazard of companies escaping scrutiny of their poor practices while simultaneously subsidizing the behavior that takes advantage of said poor practices at other companies needs to be addressed.
I'm curious about the open source competition (https://github.com/moodle/moodle is my first find, there are likely others) and what they could've made happen with that money if they had received it instead as an investment re: not worrying about future ransomware attacks.
Canvas itself is also open source (https://github.com/instructure/canvas-lms), which was the big appeal of it originally in a world where Blackboard had a stranglehold on the LMS market.
Huh, neat! I had just assumed otherwise because everything else my university uses is nine kinds of proprietary.
Like, they recently tried to sell me to McMillian who then tried to sell me the "submit homework" button for $20. I complained and got exempted from having to submit homework, but that's par for the course in edtech right now.
There shouldn't have been a need to give into hackers, even highly successful hackers. If they're not doing air-gapped backups weekly, that's malpractice and hints at a substandard architecture and/or operations. On a short enough full backup schedule all of Canvas's customers should've been able to recover based on their own copies of assignments and test results. And a policy like that should've been in the SLAs.
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
Enrollment or courses might not be generally super sensible, but financing/financial data, personal identification like phone numbers and emails, chat logs and such
I mean, something as simple as name + grades is extortable. There are plenty of students who would not want their bad grades to be public information, and who would be upset with their school if the school allowed that to be leaked, or who may personally pay an extortion if contacted directly.
I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.
The same group has a reputation to uphold (i.e., that of 'honourable' criminals), so they just move on to the next target, who will, incidentally, know that they are absolutely true to their word. (This is why paying off ransomware hackers is being made illegal in a number of countries.)
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
Sure. In all likelihood ShinyHunters will 'gracefully' point out the weak spots leveraged in the system of the 'customer' upon receiving payment to prevent this happening again next week.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
On the one side you have white hat hackers and pen-testers who you pay a contract or salary to prod your system. If you really piss them off (i.e. by stiffing them of their pay) some might just steal your data and threaten to leak it unless you pay them.
On the other side are black hat hackers who will drive by your system and if they find a way to break in they'll offer to keep your data private for a ransom fee. And maybe if you have some charisma, decent pay, and/or a good repertoire you might recruit them on/convert them into white hats for your org.
Simple economic motivations from the hackers. They've hacked a lot of different companies. [1] If they didn't keep their word then companies would have no incentive to pay, and vice versa when they do keep their word.
It might make more sense for Shinyhunters to request a reoccuring charge to smooth out their revenue stream. Basically protection money as it was called in the good old days.
This is of course assuming that Instructure continues to be relevant, and that students still believe that college education holds economic or social value.
I think Instructure has made themselves a target. I'm a professor at a college that uses Canvas and I'm going to be making sure I download the gradebook for my classes more often from now on.
Tons of stuff, usernames, first name, last name, email addresses. - Most of this stuff isn't "private" per se, but its also not publicly index-able for a reason.
Conversations between students, conversations between teachers and other students/staff or teachers. Course content, etc.
Years ago I attended a conference that had a "fireside chat" with a DoJ official on the topic of these types of ransom payments.
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.
This is the way to go.
Instead of paying ransom, and creating a ransomware criminal industry out of thin air, its better to force companies to recover and restore from backups and remove monetary incentive for crime.
and the executives who failed to carry regular backups obviously should face the music
Backups were not Instructure’s problem. Hackers using the threat of exposing private information to extort Instructure’s customers was the problem.
Equifax and other companies routinely leak customers PII and financial information.
the only outcome I got from their incidents is 1 year free "identity protection service" which I didnt use.
Should be a lesson for Instructure to have proper architecture and do not store PII they dont need in their processes.
At least those are mainly going to be adults. In the case of Instructure, there are many K12 school districts using Canvas as well. They are potentially selling lists of underage children along with where they live, and contact info like email and phone number.
These are going to be people with clean credit histories to exploit, and ideal for using as ghost students.
Our PII is leaked all the time. I am fed up with various businesses sending me a free credit monitoring subscription in lieu of actually having proper security controls or damages that incentivize viewing the issue as a serious going concern risk.
Leaks are inevitable, but the current situation is absurd. The liabilities and incentives to do anything about them are virtually nonexistent and security is almost always viewed as a cost.
I’m tired of it being my problem to fix. You should be able to know everything about me and still not be able to get accounts/credit/whatever in my name.
Was it really a problem? Yes, voluntary release of that info by a school would normally likely be a FERPA violation, but this was a criminal act against a third party.
Infrastructure’s motivations must have lain elsewhere…
Does that really shield the schools? HIPAA wouldn't care.
educational LMS should not store real patient health data, so thats the problem of whoever designed that system.
The question was whether the same transitive responsibility applies to FERPA, not whether HIPAA data is involved.
I still believe in the approach taken by Mel Gibson’s character in “Ransom.”
Offer a reward equal to the ransom amount, to anyone who turns the kidnappers/criminals in to the authorities.
Good luck when most of the random gangs are in countries that, at best, don’t care about this, and often encourage or support it.
The criminals have better marketing than the disaster recovery vendors.
Wouldn't that incentivise companies manufacturing media and backup facilities to finance ransomware operators?
> Wouldn't that incentivise companies manufacturing media and backup facilities to finance ransomware operators?
No, for the same reason fence manufacturers aren't financing burglers.
There is enough competition that if word gets out you can move to someone honest. At this size you can't keep a secret.
It may be that the ideal number of ransomware operators is non-zero
If they can restore from backups, then there’s no need to pay the ransom in the first place… Ransomware is designed to silently corrupt your backups.
Who would of thought paying teenagers millions of dollars in crypto was a good idea?
They'll just use it on more exploits, more nonsense. It's a race to the bottom. Sister group, Lapsus$ (parent group ShinyHunters) has published on their website they will pay for inside access to company networks. The group says they don't want data, they just want an avenue.
This is what happens when we keep paying these criminals millions in hard-to-trace crypto.
I do find it all a bit funny though.
I suppose it also puts a price on not funding your security department.
How is it not a violation of AML laws to pay a ransom like this? Surely they didn't verify that the recipient (a criminal) isn't sanctioned or associated with sanctioned organizations.
Money laundering is the action of obfuscating the origin of criminal proceeds; victims or clients of criminals do not generally commit money laundering, for example buying drugs is not a form of AML violation regardless of the legality of the purchase itself or the fact that the funds will later be laundered by the traffickers.
KYC is a tool to prevent money laundry and it's typically an obligation of financial institutions. Sending money to an anonymous (to you) recipient is generally not a KYC violation if you are not in the money transmitting business and you aren't doing the payment on behalf of someone else.
There are infinite shades of gray in this topic, of course, but I can't see AML being relevant in this particular case.
I think they mixed up sanctions (and any similar laws w.r.t. legal recipients) with AML laws. The legality of paying sanctioned entities doesn't depend on whether the money was laundered, but they were interested in how people get around the former.
Thank you! That's basically what I was asking.
How exactly would this fall into the purview of AML? As far as sanctions go the burden of proof would be on the government to prove the money went to a sanctioned entity and Instructure isn't a bank subject to KYC requirements.
All my corporate AML training says that not performing some KYC for large payments, directly or through a bank, is a crime in its own even if the recipient isn't sanctioned.
From Claude, maybe it's a little nuanced compared to conservative corporate policies, but doesn't feel very legal: "You can be charged with money laundering (18 USC 1956/1957 in the US, equivalents elsewhere) if you knowingly — or with willful blindness — process proceeds of crime. "I didn't ask" is not a defense if the circumstances were suspicious; deliberately avoiding KYC to preserve deniability is exactly what willful blindness doctrine targets. The recipient doesn't need to be formally sanctioned; the funds just need to be tainted."
Even if it already is, the DoJ can exercise discretion in choosing who to prosecute. There has to be political will to threaten an org who has just suffered from an attack with further consequences if they make a payment.
Probably not too relevant but off the top of my head, the New Zealand Government's guidance on ransomware payments is that you could technically be fined if you pay a ransom to an entity in a sanctioned country, although it doesn't go into specifics
Is it illegal to pay kidnappers in the united states? I've never heard of this and I can't seem to find anything that says any such law has actually been passed.
It's technically not illegal, but often is. You can't pay terrorist organizations or specially sanctioned orgs. See https://sanctionssearch.ofac.treas.gov
Probably should consult an attorney before paying a ransom (whether for kidnapping or other purposes).
I’ve been wondering this too.
Extortion and terrorism seem similar in many ways except the latter involves physical harm.
I’d asssume a company paying money to terrorists shouldn’t be acceptable.
It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.
Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
>It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.
You are paying an extra fee for not testing your own software and infrastructure. It was instead tested by a third party. Be glad it wasn't tested by a nation state actor or someone who wanted to do more harm to your customers than just asking for money.
Ideally they should now secure their infrastructure and take this as a gentle reminder that they should spend more on security.
>Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
You would hope they would then upgrade the cardboard.
When you frame it like that it sounds like the thieves are doing us a favor. Except it should be heavily fined and jailable for the entire executive team and maybe the board too.
The thieves are doing us a favor.
And yes, the companies executive should be jailed.
Except those payments are being passed through, are they not?
Passed through where and how?
Canvas to schools to tax payers
Ah yep, well they might pass on as much of the cost as they can to their customers, but it still costs them in lost customers/prestige etc.
The issue is that anything a hacker can do publicly a state actor can do silently.
Its a boon to both the company and the country when a hacker makes a big public deal out of it. Because they get the chance to repair something before its intentional damaging misuse by a hostile state actor.
The hackers here deserve every cent plus possibly more.
And theres always the problem that the hackers would still get paid, they just wont report the payments making tracking difficult.
Thank goodness that no kidnapping of an American has ever happened since.
It is illegal to commit a crime. So no crimes will be committed. Duh.
That's the magic of Laws!
Hmm, there was once fraud so I guess we should repeal any prohibitions on fraud, huh? Same for murder.
Calm down, extremist. There's a difference between someone doing something vs someone paying someone else to stop doing something. If the latter were truly bad then the same should be applied to people handing over their wallet to muggers. The only difference in that scenario and the above is saving yourself vs saving a family member. Would you really deny people the ability to save their loved ones?
> then the same should be applied to people handing over their wallet to muggers
Not really. Muggings are both more common and less traumatic than kidnappings. This is reflected in the fact that common and maximum sentences for kidnappings are universally more extreme than those for muggings.
> Would you really deny people the ability to save their loved ones?
...yes. Because it means significantly fewer kidnappings. "Deny people the ability to save their loved ones" is tantamount to "help others to lose their own."
And where does ransomware fall on that trauma scale? The maximum sentence is less than mugging after all..
> does ransomware fall on that trauma scale?
Idk. That’s a step (sentencing guidelines) after we decide it should be criminalized.
> The maximum sentence is less than mugging after all..
They’re in the same ballpark, 2 to 6 years or so.
> That’s a step (sentencing guidelines) after we decide it should be criminalized.
You decide it should be criminalized before you identify any harms?
> They’re in the same ballpark, 2 to 6 years or so.
You can just look it up. Maximum sentence for mugging is 30 years, ransomware is 20.
> You decide it should be criminalized before you identify any harms?
No. We have a measure of the harms. We haven’t balanced them for sentencing. Again, deciding something should be illegal doesn’t require obsessing over the sentence ex ante.
> Maximum sentence for mugging is 30 years
Not the norm, either for maximums [1] or usual sentences.
[1] https://en.wikipedia.org/wiki/Robbery_laws_in_the_United_Sta...
Isn't there still incentive because the data itself is valuable so attacks would continue?
Maybe, but it’s harder to profit from it. A firm may be reputationally damaged, but what’s the incentive to cause that damage?
I think the Bloomberg Odd Lots guy wrote a blog post on this: you could attempt to short the stock but a) this leaves a paper trail b) the market might not know about the breach or believe you if you post you’ve done it. IIRC some hackers have tried to tell companies that they are legally required to disclose the breach to their shareholders to force market movements.
If there was a way to profit from the data that was more than the ransom, wouldn't they just do that instead of asking for a ransome.
Or do both i suppose, just because someone pays a ransome there is no garuntee the hacker destroys the data.
How much value is in the data. It is embarrassing if some kid gets a D in class, and shouldn't be public - but most of the people who care already know or have ways to find out.
Not sure sanctions are a relevant reason not to pay here. We don’t know where everyone involved with ShinyHunters is located, but those arrested in the past have been American and French.
Americans and French (and most other "first world") countries will investigate and arrest anyone involved. It doesn't matter if foreigners are the only victim, most countries do not want their citizens involved with this and will send anyone caught to whatever country was affects for criminal prosecution.
Russia, and North Korea are the main names that come up as exceptions, they will protect their own people.
This is doubtful.
Americans are more kidnapped globally when we look at a equal distribution of population (i.e. in the same pool in a generic country, Americans are more likely to be kidnapped (according to the James Foley Foundation).
Europeans are more likely targets in Africa due to our presence there (mostly NGOs).
The differences will be statistical, not motivated by a no-pay policy.
Not that I disagree but it also incentives attackers to steal and resell data to other nefarious actors.
After all a lot of the data companies have isn't their own, it's their customers. They are the ones who suffer because businesses don't bother securing their crap.
on one hand, every ransom paid encourages like-minded individuals to start or ramp up their ransomware game , which is not great.
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
This is always the game theory of ransoms, and it is a classic example of a collective action problem (and is a form of a prisoner's dilemma).
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
https://en.wikipedia.org/wiki/Collective_action_problem
https://en.wikipedia.org/wiki/Prisoner%27s_dilemma
Famously summarized by Kipling
https://www.kiplingsociety.co.uk/poem/poems_danegeld.htm
TIL https://en.wikipedia.org/wiki/Danegeld
> Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
You're then a target known to be vulnerable and pay ransoms, so best focus on security.
If you have to pay, at least try to negotiate 1) a guarantee that the hackers won't just do it again sometime later, and 2) full disclosure / assistance in repairing your vulnerabilities so you have some kind of head start for the future. Outside of politically motivated hackers, this would probably be reasonably successful.
What possible type of guarantee could one ever hope to "negotiate" with someone who has just successfully blackmailed/ransomed/extorted?
If the ransomware operator believes that breaking their word might make it harder to get money out of future victims, they'll keep their word.
They might not believe that, but if you're at the point where you're paying anyway, you might as well try to get that commitment from them.
We are in the context of already having to pay. You are at their mercy no matter what, so the only value of any interaction with them is based on hoping they have incentive to maintain their promises to protect their reputation etc.
It's not a good situation to be in, but still, try to make the best of it.
Other hacking groups now know Instructure pays up.
There’s a similar dynamic from within the hacker group itself. For the ransom group, it is better for them to be perceived as trustworthy. Pay the ransom and we won’t leak your data.
For any individual within the ransom group, they can get a big payout by selling the data.
Depends on what they actually got. Names and email addresses? Considered public and are not so valuable. Universities usually publish those in a directory anyway.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
SSNs have been used as student IDs by particularly stupid educational institutions. The 'nice' thing about getting SSNs from students is the likelihood they'll live for a long time after the breach and thus be subject to identity theft for many years to come.
This was common years (decades, really) ago but I'd be surprised if any university today was still doing that. I guess there could still be some....
My university stopped putting SSNs on student IDs more than 25 years ago. I'd be surprised if there are many who still do that.
Though I wouldn't be surprised if some 40 year old university IT system requires its use as an identifier, regardless of whether or not it gets printed anywhere.
I have trouble imagining that a ransomware group would care about a regulation like FERPA when they've already done something criminal that would more than enough for prosecution if they got caught.
Those laws reduce the value though - "honest" people who are interested in such data won't be interested it from ransomware because they need to have legally obtained data. That is there are a lot of "honest but shady" uses of this data that are stopped by these laws.
I didn't mean that the ransomware group would care... but if they got grades, that might command a higher ransom than if they just had names and emails and other non-very-sensitive stuff.
I just spoke with a K-12 teacher I know, and she confirmed SSNs in the Canvas instance.
Yikes.
Wow. A lot of K-12 students probably don't even know their own SSN off the top of their head, much less understand the impact of having it stored in this way. I can't fathom why it would be necessary for the SSN to be tracked by the school. At most, the school district as a whole might want a record so they could make sure kids are getting schooled but putting that into Canvas doesn't make any sense to me.
Agreed, seems wild to me that anyone in 2026 is using SSN as an identifier in a system that's not doing some kind of tax reporting. It's kryptonite for any other purpose.
Oh, it's insane and I recoiled when she mentioned that.
But it is 100% happening.
People do amazingly stupid things with systems, especially when they don't have enough people with the expertise to set them up properly, so they just throw things in there without stopping to think about whether or not it's a good idea.
So, a particular school system decided to add SSN to the student profile? Or Canvas requires it?
I'm guessing that Canvas just sort of lets you put in whatever data you want, and someone evidently decided that putting the student's SSNs in there made sense...
It's not required. I don't know precisely what her district is doing or why - I don't work there But she unprompted brought up that a lot of the minors' PII was in there including SSNs.
It would be nice if system owners stopped thinking "we'll just ask for all the info in case we need it" and instead "we might get sued (or ransomed, or both) because we are collecting this."
That is a big yikes, but definitely not the norm. Most school districts switched from using SSN as their SIS identifier decades ago.
They already have your SSN, as does anyone else who wants it.
True. It's more yikes about what this says about the technical knowledge in that school.
I don’t know if that’s really true. Nobody would really give a shit if you leaked where everyone goes to college… because it’s already on their LinkedIn or whatever.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
It really isn't as simple as that.
You are leaking email addresses that likely otherwise wouldn't be out there publicly. Whilst email addresses and names are "effectively" public, they aren't just in a one big database anyone on the planet can access.
Every single one of those email addresses will receive increased spam and phishing attempts, with more isolated information (such as School, First+Last Name, Subjects, Teachers/Lecturers, etc) the phishing attempts can be more refined.
i.e, Student receives an email that looks like its from their school (has email footer, has student name, has relevant teacher name, subject name, etc), the user is now more likely to click some sketchy link.
These little identifiers add up, especially when cross-references with other leaks. Even more problematic when most of the users wrapped up in a leak like this are under 18 too.
A lot of this stuff could be done previously, although the effort and scale to do so would of been higher/harder.
> For the ransom group, it is better for them to be perceived as trustworthy.
They've already proved themselves to be untrustworthy simply by ransoming you in the first place.
No, they're proven themselves to be malicious. That's not the same thing at all.
You can also have the "excessive force" doctrine, where holding someone or something for ransom results in your entire country being a smoldering crater.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
Why don't someone pretend to be ransom hacker, take the money, and release the hacked data anyway?
This will progress the game theory to the point where nobody will pay ransom because the thieves won't honor the deals anyway.
And that’s exactly why the incidence of kidnapping plummeted in Italy once ransom payments were made illegal
How does that work? I.e. say a kidnapping occurs and the ransom is paid. What kind of trouble does the paying party get into? A fine? Jail?
A fine or sentence is probably on the books but it never comes to that. The main thing is to freeze the family's assets, and more importantly to publicize this procedure so the mafia or whoever knows there's no point in threatening the family.
So long as the potential payer knows they will get something they are going to slow down. They might pay, but suddenly becomes harder because they have to hide what they are doing. Many won't figure out how to pay.
The real value though is enough people consider themselves honest and won't do anything they know is illegal. They already hate dealing with criminals, but so long as paying is legal they might do it, but as soon as it affects their moral code they won't. The whole system collapses because just a few people saying no to paying means the kidnappers lose money on too many operations.
I understand the mechanism and the point of making it illegal, that’s not the question.
What I want to know is what exactly are the lawful repercussions for the person who paid.
>but everyone would be better off if no one paid a ransom.
I doubt if everyone would be better off if state level actors found and used these vulnerabilities instead of ransom seekers.
... except that "policies" don't cut it. Criminal penalties for paying are what you need, and not just for payments to specific designated entities, either. The executive making the decision to pay has to have a real fear of personally spending time in actual prison.
US law has criminal penalties for paying a ransom to a designated criminal terrorist organization or under treasury sanctions.
Most hacking groups don't fall under that. Some, sure.
A criminal penalty is a form of policy
... but not the form of policy they actually have.
Except for payments to specifically sanctioned organizations, the policy is "we'd really rather you didn't do that, but whatever".
The specific sanctions don't cover most of the groups, either, and even when they do cover the group who got paid, you can't necessarily prove the people who got paid were the ones on the list. And there may be a scienter requirement even then; I don't know.
Making a list of specific criminals you can't pay is just stupid. No ransoms, ever, period, or it's da slammah.
There's one more piece that matters.
If no one pays the ransoms, but people believe that large ransoms are paid-- you still have the crime.
The obverse is true - because a ransom organization is dependent upon their reputation, a company claiming to have paid and received confirmation from the group could prevent them from releasing it as well.
The general public (including the next victims) don't have a way to confirm if payment was made. ShinyHunters would have to choose between arguing publicly that they were not paid or not releasing the data to protect their own reputation...
Good/funny observation. Game theory and economics are fun. :D
I do think that the partial information problem relating to new entrants into this market is interesting though.
The number of potential threat actors with partial/no information but that might speculate based on grandiose visions of ransom or outdated history is high.
We see dumb attempts at real-world ransoms/extortion which don't get paid at a pretty high clip based on this kind of partial knowledge.
It's an interesting idea, although I think in the heat of the moment, the last thing your org should be thinking of will be playing games with one of the most prolific hacker groups on the planet.
You'll probably get your data leaked anyways, potentially get compromised again (see Instructure situation) and end up in a way worse place if you just shut up and paid it, or let it leak normally.
While the us stance has resulted in savings on potential ransom, it has also lead to people being kept in prison for very long time until prisoner exchanges might be worked out. That cost to an individuals life being imprisoned is probably far in excess whatever the US might pay. Plus the US prints its own monopoly money and doesn’t really play by the rules of economics anyhow ever since getting off gold standard.
This is literally the exact point I am making, and the US policy isn’t about saving money.
Like you said (and like I said in my post), for an individual kidnap victim, the best option would be to pay the ransom. It is better to pay the money and be free.
However, that means a kidnap group now has more money, which will make them better able to kidnap another victim and demand more money.
The point of a “no ransom” policy is that it takes the choice away from the individual, who would choose to pay it, and changes the game theory to make kidnapping not worth it.
The whole reason you need a policy at all is BECAUSE it is better for the person to pay the ransom.
That ransoms today are denominated in USD and that the US might be printing too many USD has nothing to do with whether or not ransoms should be paid.
The day the USD falls, ransoms will simply be denominated in something else and the same underlying collective action problem will remain.
This is just way of avoiding the core issue by blaming something unrelated that you don't like.
A: U should clean your room, it would be better for you & the rest of your family
B: FU dad, everyone knows there's no such thing as a clean room under capitalism!!!!!
Cash is not the real cost; the cost is by agreeing to continue printing ransom money, you cause more individuals to be kidnapped.
I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
> I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
Agreed.
This is the same problem that crypto addresses in an unregulated market - it provides attestation and continuity, but not much else.
New actors are untrusted. Trust must be built through small transactions until someone trusts you enough for larger transactions. Survive long enough without major reputational harm and you can even offer to act as an escrow service for parties with less trust.
The name ShinyHunters is currently quite well-known due to a number of high-profile hacks (Odido in the Netherlands this year was huge). Their brand has a significant value right now.
How does everyone know its ShinyHunters and not someone pretending? I imagine they have some mechanism to authenticate, I'm curious what it is.
Because ShinyHunters published they hacked Canvas on their own website. They also redirected the canvas login pages to a ShinyHunters message, whilst this could be done by another group/person, its unlikely.
You can also validate PGP keys and TOX accounts, etc via their website.
OK, I didn't realize they had a stable website all this time. I guess it's all out there in the open with these groups.
Yeah but fewer ransomes would be paid out regardless of who is attacking. They could be spoiling their own market and am sure they would
That's a motivation to avoid tragedy of the commons, not because they're trying to maintain their own reputation to victims. It benefits the criminals even if they change their name.
> I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time.
Reputation is everything in a collective.
If we assume a world where ransomware is continually existent and all your data is ransomed at anytime, we'd have a world designed to work around that.
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
I think you may have re-invented email reputation.
An idea I idly thought about is that of a "Benevolent Terrorist"[0]: one who does great harm to some number of people so that they may make it to a better world. Not entirely original, I suppose, since the Kwisatz Haderach from Dune is the trope definer. But a fun thought I had was what if you ran a ransomware company that just didn't pay? You'd screw a lot of people over but eventually you'd make ransomware a non-business the better you impersonated them and failed to deliver after taking the ransom.
What could go wrong? ;)
0: https://wiki.roshangeorge.dev/w/Benevolent_Terrorist#Poisoni...
What stops a ransomware group copying all data and just selling it piecemeal on the darknet under posibly a different name?
Realistically, the only people that could check that it's true are buyers, and those benefit from keeping a low profile
Another way to view this calculation: if you keep your infrastructure secure and up to date, you (very likely) don't have to pay any ransom in the first place.
There is a line where the ransom price beats the capex of keeping a secure system, specially when the risk so nebulous
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
Paying a ransom should always be illegal with federal criminal charges for the employees who authorize the payment. If businesses are destroyed or people die as a consequence then those are acceptable casualties.
That operates on the idea that hacker organizations use long term strategic thinking, something the US government and a good number of corporations don’t even practice. I wouldn’t put my money on that.
while i am not about to bet the farm on the long-term strategic thinking ability of extortion groups, they are much smaller than most corporations and the US government, thus its much easier to think strategically and execute on longer-term goals.
shinyhunters, for example, has been active and acted as a cohesive unit for the past 7 years.
> on the other hand, the ransomware groups that want to stay in business need to be honest
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
one issue is that modern ransomeware groups are also being hunted themselves - there are many ransomeware orgs that are themselves being ransomed so are not reliable.
even if you pay the ransom to the 1st group, the 2nd group will leak.
So, maybe we could consider a "White Hat" ransomware group that takes the money and also leaks the data, so that long term no one bothers to pay which ultimately disincentivizes ransomware attacks?
White hats that take money are not white hats, those are grey hats.
https://en.wikipedia.org/wiki/Grey_hat
LOL that's some super heavy duty optics framing on what basically amounts to "we paid out a ransom but don't worry the bad guys assured us things were okay"
They said “received digital confirmation of data destruction (shred logs)” - is this supposed to fool users into thinking the hackers didn’t keep any of the data?
The criminals did not share the logs of them making a copy of the data before shredding it; so obviously that didn't happen.
maybe they were using quantum computers the whole time https://eprint.iacr.org/2022/1178 /s
I thought it was illegal to pay ransom to hackers. I guess it is legal or maybe it isn't very clear? I thought that there were certain conditions that the company had to check together with law enforcement so that at least the ransom money doesn't go to a hacker group that is on a government payments sanctions list.
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
Not only is it not illegal, there are insurance policies set up to take care of this very scenario. It's almost always handled by a third party, not the company themselves, that would deal with any such concerns.
It is illegal to pay terrorists. As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group. If they did, would they be able to send in SEAL Team 6 to handle the hackers?
> As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group.
If you’re sending a large sum of money to $anonymoushacker, how do you ensure they’re not on some OFAC list? Or do your AML checks? Or make sure you’re not on the wrong side of Foreign Corrupt Practices act? The third party probably turns a blind eye to that cuz there’s no way of really checking.
the people who do "AML checks" are the ones processing the transaction.
i don't do that every time i want to send money. private individuals don't just "run checks" - it would make commerce untenable and possibly unconstitutional.
say you get a passport, an address, a photo, a signature, a phone call - how do you verify any of this is real?
Cryptocurrency mitigates most of those concerns. That's why the flourishing of crypto payment systems has been an unalloyed blessing for cybercriminals.
No it does not. It makes some things harder and some things easier. The public ledger means you can track where then money flowed - you might not know who had it but you know how it flows which is interesting. I don't know if it has happened, but I've heard of proposals to make any bitcoin the traces to some transaction illegal to have, and that means nobody who might get caught will have anything to do with those.
“Payment must be made in small, used bitcoins.”
It can at a technical level but not at a legal level.
Your BigCo accounting department is not going to be very understanding about acquiring cryptocurrency to send to ??? for a ransom.
Isn't this why in other comments people have said that companies use third parties to pay the ransom rather than paying directly?
That’s my theory too. Setting up payments to a new vendor is hard enough even for the most legitimate.
An org’s Net30 terms aren’t going to work here…
If they were in Iran a drone would’ve paid a visit, based on current events. Most of them are in Russia or former Eastern Bloc like Belarus. USA and the west doesn’t want a direct conflict so the drones never pay them a visit.
Instead, they trick the hackers into going on a vacation in a country that will let them grab them.
A large percentage of hacking groups are state sponsored Russians. That seal response would be starting WW3 over some pii.
Protecting pii is important, but it's not that important
we started the pretext to WW3 over someone wanting to move the focus of attention, so it's really not that much of a stretch.
Aye, I meant more in the sense of "it would be a bad idea", than "that's definitely not going to happen".
Predictions are hard, especially about the future!
Man, I don’t remember Putin wanting to move the focus of attention that bad.
Iran, Russia and North Korea are the biggest sources of ransomware.
The cyber terrorist groups North Korean Lazarus Group and Russian groups like APT28 (Fancy Bear) are on the US SDN list, among others.
Search “cyber jihad” and “cyber islamic state” if you’re curious for answers.
It often is illegal to pay them. They are often on sanctions lists, or indeed in embargoed countries. And it's just generally not allowed to pay unidentifiable parties for basic anti-money laundering reasons. And a lot of countries are bringing in new legislation to make paying illegal, starting with public sector organisations. I'm sure that will only expand.
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
I don't know where you are getting your information from. For one, it's very often unknown, by virtue of how these groups operate, where they are from or who they are affiliated with in the first place. For two, as I stated, it is such common practice to pay ransoms that there are insurance policies specifically for doing so, it's very common to purchase these as part of a SOP of a company's security policy. A business is required, often by the board/shareholders, to maintain business continuity, which is why these exist.
For three, by the FBI's own source, they don't mention anything about it being illegal, they merely advise against doing so[0] -
> The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.
I am not saying I support paying ransoms, or take any position here, I am just saying quite factually it is an extremely common practice to pay these, often via third parties that take care of any potential legality issues (which I am not aware of being super common at all, and if you are being targeted by a nation state on a sanctions list, you probably are well aware and have your own legal team/police liasons to deal with any such issues). Most ransomware attacks come from small, unknown groups.
[0] https://www.fbi.gov/how-we-can-help-you/scams-and-safety/com...
If the bad guys get paid and release the info anyway, they not only make it less likely they'll get paid in the future, they make it less likely anyone will get paid in the future.
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
Why not wait a week and take the site down and ransom them again?
for the same reasons?
Because why would anyone pay anyone if they were going to do what they threatened you with anyway?
> We received digital confirmation of data destruction (shred logs).
This is shockingly naive
I imagine they are not naive, they're counting on their clients being naive.
What's to say they didn't copy the data then shred a copy, or hell even just fabricate some shred logs.
In the abstract, it’s hilarious to imagine the hackers keeping the data, then some time from now leaking it accidentally (or another hacker group hacks them) then them having to issue a public apology for not having kept the stolen data secure and having lied about shredding it.
However, they could use it as a last resort or as a final "gift" before getting arrested or switching identities.
They might be considered "trustworthy" right now to get companies to pay them money, but no one will know what will happen in a few years when this strategy won't work anymore.
Anyway, I hope this doesn't come at all, or as late as possible.
> but no one will know what will happen in a few years when this strategy won't work anymore.
Good point.
> Anyway, I hope this doesn't come at all, or as late as possible.
Same. As I said, I find the idea funny in the abstract, if it didn’t affect anyone or if it were a TV show, for example. But since it does affect real people…
Hackers have an incentive to destroy the data as promised, because if it becomes a trend where the data is leaked despite the ransom being paid, no one would pay ransoms in the future.
Obviously this doesn't stop hackers from selling the data anyway and say "it wasn't us, someone else got the same data through a different hack".
Gotta hope that's just a PR attempt to try to save face. Though I wish companies would stop claiming it.
>The data was returned to us.
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
[1] https://www.youtube.com/watch?v=IeTybKL1pM4
[2] https://search.brave.com/search?q=monero+price&rh_type=cc&ra...
[3] https://xcancel.com/zachxbt/status/2012212936735912351
[4] https://archive.ph/4zD7f
[5] https://archive.ph/NYWbJ
I guess the incentive is for the hackers to not leak, so they can get away with the next ransom.
This is a good time to point out that when there is a data breach, data is rarely stolen. The real threat and harm is when data that is stolen is used against you.
> You wouldn't "return" data unless it was encrypted or the originals were deleted
The very next line from what you quoted:
> We received digital confirmation of data destruction (shred logs).
Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".
A good infotech public service project would be to maintain a public list of organizations that have succumbed to ransom demands, so that we can choose to take our business elsewhere. It would also be an act of bravery though in the face of potential liability for libel. I doubt disclaimers would evade much of that.
So you would rather take your business to somewhere that got hacked, didn't pay the ransom, and got customer data leaked?
Yes, particularly if they are transparent about it.
Yeah, sorry. I don't believe you :)
The customer data is already leaked, unless your threat model somehow includes trusting threat actors to keep said data confidential in perpetuity.
ShinyHunters has a vested financial stake in not leaking the customer data. If they did, nobody would ever pay a ransom to them again. I trust ShinyHunters to look out for themselves continuing to get paid.
Sure. Do you trust every member of ShinyHunters to remain a member of ShinyHunters in good standing, and to resist the temptation to exfiltrate the data in the process of exiting ShinyHunters?
I would expect ShinyHunters to understand that traitors pose an existential threat to the group and to take measures to prevent a lone wolf from selling them out easily. That they have existed for 7 years already indicates they are probably not so amateur as to allow any individual member to walk off with data that would compromise their operation.
This is a really silly take. Instructure also had a financial incentive not to get hacked. And yet…
No, it actually doesn't, which is the problem. The market has shown that there are no financial consequences to any company that gets hacked. Instructure could have just as well not paid the ransom, as many companies don't, and continued to be fine. Even if they do pay the ransom, it is likely that it is less than it would have costed them to engineer secure systems, so even if you take paying ransoms as necessary market incentives still steer you to ignoring security.
If you believe the hackers didn’t keep a copy of the data, you’re the target market.
Both of them got hacked so... yes.
Theoretically, if it happened before and the ransom wasn’t paid, there’s both an incentive by the service to improve their security practices and a disincentive on the hackers to target that business.
I wonder if, longer term, we're better off if a company like this were in some way destroyed as a result of getting hacked and paying a bribe.
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
I've never seen a company blame a data breach as the point where they started going bankrupt.
Customers never migrate on mass after a breach, 7000 underfunded and overworked education institutions are not migrating on mass.
So I feel safe to say there's no lasting impact to a company when a data breach occurs.
This will all be forgotten in a few months.
To be fair, I don't think I've ever seen a company identify the inflection point after bankruptcy, accurately or not.
Probably, but without government regulation to make ruinous fines for allowing your data to be breached, the thought experiment is moot.
I suspected as much as it disappeared from the ShinnyHunters page and it recovered so fast. The main thing I'm interested in knowing was how much was paid. Also I don't really like their statement that the data is safe or destroyed, those promises seem a little questionable with regards to these incidents.
I'm interested in this, too. I found a tweet[1] listing a wallet address for shinyhunters, but there's only a small transaction from last week: https://www.blockonomics.co/#/search?q=bc1q5530apqz86eywm2f8...
[1] https://xcancel.com/search?f=tweets&q=1968412640398430555
How does things like this work in terms of bookkeeping? How do they label the expense? Can a company send huge amounts of money to an unknown crypto account without needing to explain anything to the tax authorities?
It's the insurance company paying the ransom and I assume they tie the payment to the insurance policy they are fulfilling, I don't know what the tax implications would be, I am not in finance or an accountant
“Data recovery”?
Being that this is HN, do we know how they got hacked? Can we learn something about protecting our services?
We’re currently working to identify a robust list of Indicators of Compromise (IOCs) and will make those available to our customers.
https://www.instructure.com/incident_update
It worries me they've only committed to making it available to their customers and not the public.
I read online that it has to do with their "Free-For-Teachers accounts" which I assume is a way for teachers to get access to Canvas services for free when their school doesn't subscribe to it.
I don't know for sure, but I think it probably had to do with some kind of misconfiguration on an Salesforce Experience Cloud site. I have heard that ShinyHunters often exploits this type of service and that it is very easy for companies to forget to set the right permissions to data and they end up throwing a bunch of different data into Salesforce.
This blog post[0] suggests that, based on their changelog after the incident, the hackers may have extracted session tokens using XSS in a support ticket. Then the ransom note was displayed using a custom theme.
[0]: https://cyber.acmucsd.com/canvas (disclosure: I was involved with this org when I was a student)
Surely if they are demanding a ransome they somehow got server access to delete data. Would seem kind of insane to pay a ransome solely for an XSS.
> Has law enforcement been engaged? Yes. We've notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.
Hmm. I thought all these agencies say NOT to pay a ransom.
Not always. They have been known to give "marked bills" to pay with in the past. A lot can be learned by watching how ransom money moves around (bit coin is very traceable this way). Sometimes paying a ransom is an important part of finding and arresting the guilty.
Engaged != listened to.
I would love to know the amount of ransoms paid by large companies who've been compromised without the public being informed. How much that undisclosed amount impacts inflation and the economy today is not talked about nearly enough, imo.
Everyone's making a lot of good points about game theory and economic motivations, but there is a much more important and self-serving point: when you pay a ransom, hackers come after your shit x10.
Paying a ransom signals 3 things: 1) you are vulnerable to attack 2) you cannot recover from an attack 3) you've got cash
The result is that you get attacked much, much more. You could ask me how I know, but I wouldn't tell you :)
What on earth does "returned the hacked personal data" mean?
I believe attacks like this often include copying data and then deleting it from the victim's servers.
Although of course returning is a weird term in the sense that the attackers will almost certainly keep the data as well.
How is Instructure getting away with paying off the ransomware hackers? Is that still legal in Utah or something?
This happens every day, and there doesn't seem to be anything interesting about this case. It's how most situations are resolved. There are money transmitters that specialize in ransoms. They "do" sanctions checks that are about as good as you suspect they are.
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
Stop funding cyberterrorism.
>the deal means that the hackers have returned the compromised data of some 275 million users across more than 8,800 institutions.
Yea sure, they didn't keep the copy of stolen database. You know, criminals are very trustworthy people.
I've seen half a dozen comments in this thread suggesting that paying hacking ransoms should be illegal, but I strongly disagree, for multiple reasons. I'll just make this a top-level comment rather than picking one to reply to.
(1a) Multiple have suggested that the US made it illegal to pay kidnapping ransoms. This is a misconception. The US adopted a policy that the government itself would not pay ransoms, but explicitly noted this did not apply to the victims. "The U.S. Department of Justice does not intend to add to families’ pain in such cases by suggesting that they could face criminal prosecution."
(1b) Despite this policy, the US pays ransoms anyways. Usually in the form of prisoner swaps, but in 2023 it released $6 billion in frozen Iranian funds in exchange for the release of 5 hostages[1].
(2) The belief that paying ransoms should be illegal is predicated on the belief that criminals will be less likely to commit the crime if there is no money to be made. This may be true for kidnapping, but that does not mean it would be true for hacking. Kidnapping is a high-stakes, high-commitment crime that requires physical presence and exposes the criminal to significant danger. If the criminal anticipates no reward, the risk-reward calculus skews them away from kidnapping. However, hacking is a low-risk crime. Even if the chance of reward is low, the risk is also low, so hackers are unlikely to be deterred from hacking. Many hackers will do it just for fun or to prove that they can. Moreover, hackers can profit in other ways, for example by selling the data on the black market, or by making use of the data themselves as a nation-state or corporate espionage actor. Hacking will undoubtedly continue as long as things can be hacked, regardless of whether ransoms are ilegal.
(3) Making ransoms illegal pushes the burden onto people who have no real ability to do anything about it. When a company fails to pay ransom, it is the customers who suffer. It does not materially affect the company in any way to have customer data leaked. The market has already shown, overwhelmingly, that it will not punish companies that leak user data. That a company pays a ransom to begin with indicates that they don't actually understand the market and/or have some small shred of a conscience. Rather than making it illegal to pay ransoms, I would rather see penalties for having a data breach in the first place, but once a data breach is assured, companies should be paying ransoms to try to mitigate the damage to their customers.
(4) The idea of trying to solve hacking by making it illegal to pay ransoms is ridiculous on its face. As long as systems are insecure, hackers will exist, so the legal emphasis should be on consequences for data security. The collection of PII that is not essential to providing a service to customers should be discouraged, and there should be real consequences for negligent security. There should be an investigative board similar to those for airline crashes and infrastructure collapse, which examines the circumstances in depth and identifies whether the company is at fault for negligent handling of PII.
[1]https://2021-2025.state.gov/briefings/department-press-brief...
The problem is paying ransom to these groups gives teenagers millions of dollars in crypto to spend on more exploits and more insiders.
It is a race to the bottom. The teenagers have effectively unlimited time, millions of dollars and rocket launchers.
If customers suffer when a company doesn’t pay ransom - that’s a good thing.
Those (now former) customers can the be patrons of a competitor that doesn’t let such happen again.
That's just not reality. Not least of which because competitors are exactly the same when it comes to security. Even if they weren't, security isn't something the market can realistically select for because it's not verifiable from a customer's perspective. A customer can clearly see, say, a price difference or feature difference, but cannot see a security difference in any meaningful sense. This is something that needs to be enforced at a regulatory level, there are many problems the free market cannot solve, and in fact market forces actively incentivize neglecting security.
The moral hazard of companies escaping scrutiny of their poor practices while simultaneously subsidizing the behavior that takes advantage of said poor practices at other companies needs to be addressed.
I'm curious about the open source competition (https://github.com/moodle/moodle is my first find, there are likely others) and what they could've made happen with that money if they had received it instead as an investment re: not worrying about future ransomware attacks.
Canvas itself is also open source (https://github.com/instructure/canvas-lms), which was the big appeal of it originally in a world where Blackboard had a stranglehold on the LMS market.
Huh, neat! I had just assumed otherwise because everything else my university uses is nine kinds of proprietary.
Like, they recently tried to sell me to McMillian who then tried to sell me the "submit homework" button for $20. I complained and got exempted from having to submit homework, but that's par for the course in edtech right now.
Got to scroll down to see the update.
(https://www.instructure.com/incident_update#:~:text=STATUS%2...)
Thanks, we've put that in the toptext.
"The deal with the hackers included the return of stolen data and digital evidence that copies had been deleted, Instructure said."
does "yes, I deleted the data" in an email count as digital evidence?
Dumb move. You cannot trust that they won't leak it anyway to make additional profit, since they're not accountable except to their made-up name.
There shouldn't have been a need to give into hackers, even highly successful hackers. If they're not doing air-gapped backups weekly, that's malpractice and hints at a substandard architecture and/or operations. On a short enough full backup schedule all of Canvas's customers should've been able to recover based on their own copies of assignments and test results. And a policy like that should've been in the SLAs.
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
Backups do nothing to protect your customers from getting extorted to avoid their data being leaked.
What extortable content should schools be creating? And if they are it's crazy that they are trusting it to school SaaS.
Enrollment or courses might not be generally super sensible, but financing/financial data, personal identification like phone numbers and emails, chat logs and such
I mean, something as simple as name + grades is extortable. There are plenty of students who would not want their bad grades to be public information, and who would be upset with their school if the school allowed that to be leaked, or who may personally pay an extortion if contacted directly.
I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.
Given they were hacked multiple times, couldn’t they just be targeted again by the same or different group? Why would it stop here?
The same group has a reputation to uphold (i.e., that of 'honourable' criminals), so they just move on to the next target, who will, incidentally, know that they are absolutely true to their word. (This is why paying off ransomware hackers is being made illegal in a number of countries.)
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
So they hacker group could create an unregistered subsidiary and hack some more?
Sure. In all likelihood ShinyHunters will 'gracefully' point out the weak spots leveraged in the system of the 'customer' upon receiving payment to prevent this happening again next week.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
They could but also why would they?
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
If you squint you can think of it as pen-testing done economically right: how much do you really value your data??
NGL that's pretty much what it is.
On the one side you have white hat hackers and pen-testers who you pay a contract or salary to prod your system. If you really piss them off (i.e. by stiffing them of their pay) some might just steal your data and threaten to leak it unless you pay them.
On the other side are black hat hackers who will drive by your system and if they find a way to break in they'll offer to keep your data private for a ransom fee. And maybe if you have some charisma, decent pay, and/or a good repertoire you might recruit them on/convert them into white hats for your org.
Simple economic motivations from the hackers. They've hacked a lot of different companies. [1] If they didn't keep their word then companies would have no incentive to pay, and vice versa when they do keep their word.
[1] - https://en.wikipedia.org/wiki/ShinyHunters
It might make more sense for Shinyhunters to request a reoccuring charge to smooth out their revenue stream. Basically protection money as it was called in the good old days.
This is of course assuming that Instructure continues to be relevant, and that students still believe that college education holds economic or social value.
I think Instructure has made themselves a target. I'm a professor at a college that uses Canvas and I'm going to be making sure I download the gradebook for my classes more often from now on.
What data held by Instructure is so critical it warrants a ransom payment?
Tons of stuff, usernames, first name, last name, email addresses. - Most of this stuff isn't "private" per se, but its also not publicly index-able for a reason.
Conversations between students, conversations between teachers and other students/staff or teachers. Course content, etc.
Michael Jackson paid the ransom and look what happened to him.
Problem with blackmail is that you never know if they made copies. Unless this is a well elaborated sting operation.
It would be amusing to discover it turned out that the hackers were 14 year old teenagers, bored with school.
The defendant, who calls himself “zero cool”, has repeatedly committed criminal acts of a malicious nature.