Rendered at 05:54:50 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
jawiggins 11 hours ago [-]
Years ago I attended a conference that had a "fireside chat" with a DoJ official on the topic of these types of ransom payments.
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.
bijowo1676 11 hours ago [-]
This is the way to go.
Instead of paying ransom, and creating a ransomware criminal industry out of thin air, its better to force companies to recover and restore from backups and remove monetary incentive for crime.
and the executives who failed to carry regular backups obviously should face the music
jstan65536 6 hours ago [-]
Backups were not Instructure’s problem. Hackers using the threat of exposing private information to extort Instructure’s customers was the problem.
bijowo1676 6 hours ago [-]
Equifax and other companies routinely leak customers PII and financial information.
the only outcome I got from their incidents is 1 year free "identity protection service" which I didnt use.
Should be a lesson for Instructure to have proper architecture and do not store PII they dont need in their processes.
Eufrat 4 hours ago [-]
Our PII is leaked all the time. I am fed up with various businesses sending me a free credit monitoring subscription in lieu of actually having proper security controls or damages that incentivize viewing the issue as a serious going concern risk.
Leaks are inevitable, but the current situation is absurd. The liabilities and incentives to do anything about them are virtually nonexistent and security is almost always viewed as a cost.
BobbyTables2 2 hours ago [-]
Was it really a problem? Yes, voluntary release of that info by a school would normally likely be a FERPA violation, but this was a criminal act against a third party.
Infrastructure’s motivations must have lain elsewhere…
erikerikson 2 hours ago [-]
Does that really shield the schools? HIPAA wouldn't care.
bijowo1676 1 hours ago [-]
educational LMS should not store real patient health data, so thats the problem of whoever designed that system.
erikerikson 50 minutes ago [-]
The question was whether the same transitive responsibility applies to FERPA, not whether HIPAA data is involved.
axus 7 hours ago [-]
The criminals have better marketing than the disaster recovery vendors.
_vOv_ 7 hours ago [-]
If they can restore from backups, then there’s no need to pay the ransom in the first place… Ransomware is designed to silently corrupt your backups.
varispeed 10 hours ago [-]
Wouldn't that incentivise companies manufacturing media and backup facilities to finance ransomware operators?
JumpCrisscross 9 hours ago [-]
> Wouldn't that incentivise companies manufacturing media and backup facilities to finance ransomware operators?
No, for the same reason fence manufacturers aren't financing burglers.
bluGill 9 hours ago [-]
There is enough competition that if word gets out you can move to someone honest. At this size you can't keep a secret.
hughes 9 hours ago [-]
It may be that the ideal number of ransomware operators is non-zero
HDBaseT 8 hours ago [-]
Who would of thought paying teenagers millions of dollars in crypto was a good idea?
They'll just use it on more exploits, more nonsense. It's a race to the bottom.
Sister group, Lapsus$ (parent group ShinyHunters) has published on their website they will pay for inside access to company networks. The group says they don't want data, they just want an avenue.
This is what happens when we keep paying these criminals millions in hard-to-trace crypto.
I do find it all a bit funny though.
bawolff 7 hours ago [-]
I suppose it also puts a price on not funding your security department.
7 hours ago [-]
rsstack 11 hours ago [-]
How is it not a violation of AML laws to pay a ransom like this? Surely they didn't verify that the recipient (a criminal) isn't sanctioned or associated with sanctioned organizations.
cornholio 10 hours ago [-]
Money laundering is the action of obfuscating the origin of criminal proceeds; victims or clients of criminals do not generally commit money laundering, for example buying drugs is not a form of AML violation regardless of the legality of the purchase itself or the fact that the funds will later be laundered by the traffickers.
KYC is a tool to prevent money laundry and it's typically an obligation of financial institutions. Sending money to an anonymous (to you) recipient is generally not a KYC violation if you are not in the money transmitting business and you aren't doing the payment on behalf of someone else.
There are infinite shades of gray in this topic, of course, but I can't see AML being relevant in this particular case.
dataflow 5 hours ago [-]
I think they mixed up sanctions (and any similar laws w.r.t. legal recipients) with AML laws. The legality of paying sanctioned entities doesn't depend on whether the money was laundered, but they were interested in how people get around the former.
rsstack 10 hours ago [-]
Thank you! That's basically what I was asking.
hattmall 10 hours ago [-]
How exactly would this fall into the purview of AML? As far as sanctions go the burden of proof would be on the government to prove the money went to a sanctioned entity and Instructure isn't a bank subject to KYC requirements.
rsstack 10 hours ago [-]
All my corporate AML training says that not performing some KYC for large payments, directly or through a bank, is a crime in its own even if the recipient isn't sanctioned.
From Claude, maybe it's a little nuanced compared to conservative corporate policies, but doesn't feel very legal: "You can be charged with money laundering (18 USC 1956/1957 in the US, equivalents elsewhere) if you knowingly — or with willful blindness — process proceeds of crime. "I didn't ask" is not a defense if the circumstances were suspicious; deliberately avoiding KYC to preserve deniability is exactly what willful blindness doctrine targets. The recipient doesn't need to be formally sanctioned; the funds just need to be tainted."
jawiggins 10 hours ago [-]
Even if it already is, the DoJ can exercise discretion in choosing who to prosecute. There has to be political will to threaten an org who has just suffered from an attack with further consequences if they make a payment.
spondyl 9 hours ago [-]
Probably not too relevant but off the top of my head, the New Zealand Government's guidance on ransomware payments is that you could technically be fined if you pay a ransom to an entity in a sanctioned country, although it doesn't go into specifics
BobbyTables2 2 hours ago [-]
I’ve been wondering this too.
Extortion and terrorism seem similar in many ways except the latter involves physical harm.
I’d asssume a company paying money to terrorists shouldn’t be acceptable.
It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.
Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
protocolture 2 hours ago [-]
>It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.
You are paying an extra fee for not testing your own software and infrastructure. It was instead tested by a third party. Be glad it wasn't tested by a nation state actor or someone who wanted to do more harm to your customers than just asking for money.
Ideally they should now secure their infrastructure and take this as a gentle reminder that they should spend more on security.
>Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
You would hope they would then upgrade the cardboard.
erikerikson 2 hours ago [-]
When you frame it like that it sounds like the thieves are doing us a favor. Except it should be heavily fined and jailable for the entire executive team and maybe the board too.
protocolture 1 hours ago [-]
The thieves are doing us a favor.
And yes, the companies executive should be jailed.
erikerikson 1 hours ago [-]
Except those payments are being passed through, are they not?
protocolture 53 minutes ago [-]
Passed through where and how?
erikerikson 49 minutes ago [-]
Canvas to schools to tax payers
protocolture 16 minutes ago [-]
Ah yep, well they might pass on as much of the cost as they can to their customers, but it still costs them in lost customers/prestige etc.
nullocator 8 hours ago [-]
Is it illegal to pay kidnappers in the united states? I've never heard of this and I can't seem to find anything that says any such law has actually been passed.
kenjackson 8 hours ago [-]
It's technically not illegal, but often is. You can't pay terrorist organizations or specially sanctioned orgs. See https://sanctionssearch.ofac.treas.gov
Probably should consult an attorney before paying a ransom (whether for kidnapping or other purposes).
protocolture 4 hours ago [-]
The issue is that anything a hacker can do publicly a state actor can do silently.
Its a boon to both the company and the country when a hacker makes a big public deal out of it. Because they get the chance to repair something before its intentional damaging misuse by a hostile state actor.
The hackers here deserve every cent plus possibly more.
And theres always the problem that the hackers would still get paid, they just wont report the payments making tracking difficult.
nathanmills 11 hours ago [-]
Thank goodness that no kidnapping of an American has ever happened since.
Geof25 11 hours ago [-]
It is illegal to commit a crime. So no crimes will be committed. Duh.
eviks 11 hours ago [-]
That's the magic of Laws!
JumpCrisscross 10 hours ago [-]
Hmm, there was once fraud so I guess we should repeal any prohibitions on fraud, huh? Same for murder.
nathanmills 9 hours ago [-]
Calm down, extremist. There's a difference between someone doing something vs someone paying someone else to stop doing something. If the latter were truly bad then the same should be applied to people handing over their wallet to muggers. The only difference in that scenario and the above is saving yourself vs saving a family member. Would you really deny people the ability to save their loved ones?
JumpCrisscross 9 hours ago [-]
> then the same should be applied to people handing over their wallet to muggers
Not really. Muggings are both more common and less traumatic than kidnappings. This is reflected in the fact that common and maximum sentences for kidnappings are universally more extreme than those for muggings.
> Would you really deny people the ability to save their loved ones?
...yes. Because it means significantly fewer kidnappings. "Deny people the ability to save their loved ones" is tantamount to "help others to lose their own."
nathanmills 9 hours ago [-]
And where does ransomware fall on that trauma scale? The maximum sentence is less than mugging after all..
JumpCrisscross 8 hours ago [-]
> does ransomware fall on that trauma scale?
Idk. That’s a step (sentencing guidelines) after we decide it should be criminalized.
> The maximum sentence is less than mugging after all..
They’re in the same ballpark, 2 to 6 years or so.
nathanmills 8 hours ago [-]
> That’s a step (sentencing guidelines) after we decide it should be criminalized.
You decide it should be criminalized before you identify any harms?
> They’re in the same ballpark, 2 to 6 years or so.
You can just look it up. Maximum sentence for mugging is 30 years, ransomware is 20.
JumpCrisscross 8 hours ago [-]
> You decide it should be criminalized before you identify any harms?
No. We have a measure of the harms. We haven’t balanced them for sentencing. Again, deciding something should be illegal doesn’t require obsessing over the sentence ex ante.
> Maximum sentence for mugging is 30 years
Not the norm, either for maximums [1] or usual sentences.
Isn't there still incentive because the data itself is valuable so attacks would continue?
jawiggins 10 hours ago [-]
Maybe, but it’s harder to profit from it. A firm may be reputationally damaged, but what’s the incentive to cause that damage?
I think the Bloomberg Odd Lots guy wrote a blog post on this: you could attempt to short the stock but a) this leaves a paper trail b) the market might not know about the breach or believe you if you post you’ve done it. IIRC some hackers have tried to tell companies that they are legally required to disclose the breach to their shareholders to force market movements.
bawolff 7 hours ago [-]
If there was a way to profit from the data that was more than the ransom, wouldn't they just do that instead of asking for a ransome.
Or do both i suppose, just because someone pays a ransome there is no garuntee the hacker destroys the data.
bluGill 9 hours ago [-]
How much value is in the data. It is embarrassing if some kid gets a D in class, and shouldn't be public - but most of the people who care already know or have ways to find out.
rafram 10 hours ago [-]
Not sure sanctions are a relevant reason not to pay here. We don’t know where everyone involved with ShinyHunters is located, but those arrested in the past have been American and French.
bluGill 9 hours ago [-]
Americans and French (and most other "first world") countries will investigate and arrest anyone involved. It doesn't matter if foreigners are the only victim, most countries do not want their citizens involved with this and will send anyone caught to whatever country was affects for criminal prosecution.
Russia, and North Korea are the main names that come up as exceptions, they will protect their own people.
gustavus 10 hours ago [-]
Not that I disagree but it also incentives attackers to steal and resell data to other nefarious actors.
After all a lot of the data companies have isn't their own, it's their customers. They are the ones who suffer because businesses don't bother securing their crap.
aaron695 6 hours ago [-]
[dead]
john_strinlai 13 hours ago [-]
on one hand, every ransom paid encourages like-minded individuals to start or ramp up their ransomware game , which is not great.
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
cortesoft 12 hours ago [-]
This is always the game theory of ransoms, and it is a classic example of a collective action problem (and is a form of a prisoner's dilemma).
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
> Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
You're then a target known to be vulnerable and pay ransoms, so best focus on security.
sgc 12 hours ago [-]
If you have to pay, at least try to negotiate 1) a guarantee that the hackers won't just do it again sometime later, and 2) full disclosure / assistance in repairing your vulnerabilities so you have some kind of head start for the future. Outside of politically motivated hackers, this would probably be reasonably successful.
LgWoodenBadger 11 hours ago [-]
What possible type of guarantee could one ever hope to "negotiate" with someone who has just successfully blackmailed/ransomed/extorted?
kelnos 8 hours ago [-]
If the ransomware operator believes that breaking their word might make it harder to get money out of future victims, they'll keep their word.
They might not believe that, but if you're at the point where you're paying anyway, you might as well try to get that commitment from them.
sgc 10 hours ago [-]
We are in the context of already having to pay. You are at their mercy no matter what, so the only value of any interaction with them is based on hoping they have incentive to maintain their promises to protect their reputation etc.
It's not a good situation to be in, but still, try to make the best of it.
Symbiote 12 hours ago [-]
Other hacking groups now know Instructure pays up.
janalsncm 12 hours ago [-]
There’s a similar dynamic from within the hacker group itself. For the ransom group, it is better for them to be perceived as trustworthy. Pay the ransom and we won’t leak your data.
For any individual within the ransom group, they can get a big payout by selling the data.
SoftTalker 12 hours ago [-]
Depends on what they actually got. Names and email addresses? Considered public and are not so valuable. Universities usually publish those in a directory anyway.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
browsingonly 12 hours ago [-]
SSNs have been used as student IDs by particularly stupid educational institutions. The 'nice' thing about getting SSNs from students is the likelihood they'll live for a long time after the breach and thus be subject to identity theft for many years to come.
kelnos 8 hours ago [-]
My university stopped putting SSNs on student IDs more than 25 years ago. I'd be surprised if there are many who still do that.
Though I wouldn't be surprised if some 40 year old university IT system requires its use as an identifier, regardless of whether or not it gets printed anywhere.
SoftTalker 12 hours ago [-]
This was common years (decades, really) ago but I'd be surprised if any university today was still doing that. I guess there could still be some....
saghm 11 hours ago [-]
I have trouble imagining that a ransomware group would care about a regulation like FERPA when they've already done something criminal that would more than enough for prosecution if they got caught.
bluGill 9 hours ago [-]
Those laws reduce the value though - "honest" people who are interested in such data won't be interested it from ransomware because they need to have legally obtained data. That is there are a lot of "honest but shady" uses of this data that are stopped by these laws.
SoftTalker 10 hours ago [-]
I didn't mean that the ransomware group would care... but if they got grades, that might command a higher ransom than if they just had names and emails and other non-very-sensitive stuff.
Mezzie 11 hours ago [-]
I just spoke with a K-12 teacher I know, and she confirmed SSNs in the Canvas instance.
Yikes.
saghm 11 hours ago [-]
Wow. A lot of K-12 students probably don't even know their own SSN off the top of their head, much less understand the impact of having it stored in this way. I can't fathom why it would be necessary for the SSN to be tracked by the school. At most, the school district as a whole might want a record so they could make sure kids are getting schooled but putting that into Canvas doesn't make any sense to me.
SoftTalker 11 hours ago [-]
Agreed, seems wild to me that anyone in 2026 is using SSN as an identifier in a system that's not doing some kind of tax reporting. It's kryptonite for any other purpose.
Mezzie 11 hours ago [-]
Oh, it's insane and I recoiled when she mentioned that.
But it is 100% happening.
People do amazingly stupid things with systems, especially when they don't have enough people with the expertise to set them up properly, so they just throw things in there without stopping to think about whether or not it's a good idea.
SoftTalker 10 hours ago [-]
So, a particular school system decided to add SSN to the student profile? Or Canvas requires it?
saghm 6 hours ago [-]
I'm guessing that Canvas just sort of lets you put in whatever data you want, and someone evidently decided that putting the student's SSNs in there made sense...
Mezzie 9 hours ago [-]
It's not required. I don't know precisely what her district is doing or why - I don't work there But she unprompted brought up that a lot of the minors' PII was in there including SSNs.
SoftTalker 9 hours ago [-]
It would be nice if system owners stopped thinking "we'll just ask for all the info in case we need it" and instead "we might get sued (or ransomed, or both) because we are collecting this."
zwily 6 hours ago [-]
That is a big yikes, but definitely not the norm. Most school districts switched from using SSN as their SIS identifier decades ago.
LastTrain 10 hours ago [-]
They already have your SSN, as does anyone else who wants it.
Mezzie 9 hours ago [-]
True. It's more yikes about what this says about the technical knowledge in that school.
MagicMoonlight 12 hours ago [-]
I don’t know if that’s really true. Nobody would really give a shit if you leaked where everyone goes to college… because it’s already on their LinkedIn or whatever.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
HDBaseT 6 hours ago [-]
It really isn't as simple as that.
You are leaking email addresses that likely otherwise wouldn't be out there publicly. Whilst email addresses and names are "effectively" public, they aren't just in a one big database anyone on the planet can access.
Every single one of those email addresses will receive increased spam and phishing attempts, with more isolated information (such as School, First+Last Name, Subjects, Teachers/Lecturers, etc) the phishing attempts can be more refined.
i.e, Student receives an email that looks like its from their school (has email footer, has student name, has relevant teacher name, subject name, etc), the user is now more likely to click some sketchy link.
These little identifiers add up, especially when cross-references with other leaks. Even more problematic when most of the users wrapped up in a leak like this are under 18 too.
A lot of this stuff could be done previously, although the effort and scale to do so would of been higher/harder.
bradyd 11 hours ago [-]
> For the ransom group, it is better for them to be perceived as trustworthy.
They've already proved themselves to be untrustworthy simply by ransoming you in the first place.
Ancapistani 11 hours ago [-]
No, they're proven themselves to be malicious. That's not the same thing at all.
bombcar 12 hours ago [-]
You can also have the "excessive force" doctrine, where holding someone or something for ransom results in your entire country being a smoldering crater.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
ergocoder 4 hours ago [-]
Why don't someone pretend to be ransom hacker, take the money, and release the hacked data anyway?
This will progress the game theory to the point where nobody will pay ransom because the thieves won't honor the deals anyway.
protocolture 4 hours ago [-]
>but everyone would be better off if no one paid a ransom.
I doubt if everyone would be better off if state level actors found and used these vulnerabilities instead of ransom seekers.
BennyH26 12 hours ago [-]
And that’s exactly why the incidence of kidnapping plummeted in Italy once ransom payments were made illegal
latexr 11 hours ago [-]
How does that work? I.e. say a kidnapping occurs and the ransom is paid. What kind of trouble does the paying party get into? A fine? Jail?
jasonfarnon 6 hours ago [-]
A fine or sentence is probably on the books but it never comes to that. The main thing is to freeze the family's assets, and more importantly to publicize this procedure so the mafia or whoever knows there's no point in threatening the family.
bluGill 9 hours ago [-]
So long as the potential payer knows they will get something they are going to slow down. They might pay, but suddenly becomes harder because they have to hide what they are doing. Many won't figure out how to pay.
The real value though is enough people consider themselves honest and won't do anything they know is illegal. They already hate dealing with criminals, but so long as paying is legal they might do it, but as soon as it affects their moral code they won't. The whole system collapses because just a few people saying no to paying means the kidnappers lose money on too many operations.
Hizonner 12 hours ago [-]
... except that "policies" don't cut it. Criminal penalties for paying are what you need, and not just for payments to specific designated entities, either. The executive making the decision to pay has to have a real fear of personally spending time in actual prison.
gnopgnip 12 hours ago [-]
US law has criminal penalties for paying a ransom to a designated criminal terrorist organization or under treasury sanctions.
esseph 12 hours ago [-]
Most hacking groups don't fall under that. Some, sure.
cortesoft 10 hours ago [-]
A criminal penalty is a form of policy
Hizonner 4 hours ago [-]
... but not the form of policy they actually have.
Except for payments to specifically sanctioned organizations, the policy is "we'd really rather you didn't do that, but whatever".
The specific sanctions don't cover most of the groups, either, and even when they do cover the group who got paid, you can't necessarily prove the people who got paid were the ones on the list. And there may be a scienter requirement even then; I don't know.
Making a list of specific criminals you can't pay is just stupid. No ransoms, ever, period, or it's da slammah.
mlyle 10 hours ago [-]
There's one more piece that matters.
If no one pays the ransoms, but people believe that large ransoms are paid-- you still have the crime.
Ancapistani 9 hours ago [-]
The obverse is true - because a ransom organization is dependent upon their reputation, a company claiming to have paid and received confirmation from the group could prevent them from releasing it as well.
The general public (including the next victims) don't have a way to confirm if payment was made. ShinyHunters would have to choose between arguing publicly that they were not paid or not releasing the data to protect their own reputation...
mlyle 9 hours ago [-]
Good/funny observation. Game theory and economics are fun. :D
I do think that the partial information problem relating to new entrants into this market is interesting though.
The number of potential threat actors with partial/no information but that might speculate based on grandiose visions of ransom or outdated history is high.
We see dumb attempts at real-world ransoms/extortion which don't get paid at a pretty high clip based on this kind of partial knowledge.
HDBaseT 6 hours ago [-]
It's an interesting idea, although I think in the heat of the moment, the last thing your org should be thinking of will be playing games with one of the most prolific hacker groups on the planet.
You'll probably get your data leaked anyways, potentially get compromised again (see Instructure situation) and end up in a way worse place if you just shut up and paid it, or let it leak normally.
kjkjadksj 12 hours ago [-]
While the us stance has resulted in savings on potential ransom, it has also lead to people being kept in prison for very long time until prisoner exchanges might be worked out. That cost to an individuals life being imprisoned is probably far in excess whatever the US might pay. Plus the US prints its own monopoly money and doesn’t really play by the rules of economics anyhow ever since getting off gold standard.
cortesoft 10 hours ago [-]
This is literally the exact point I am making, and the US policy isn’t about saving money.
Like you said (and like I said in my post), for an individual kidnap victim, the best option would be to pay the ransom. It is better to pay the money and be free.
However, that means a kidnap group now has more money, which will make them better able to kidnap another victim and demand more money.
The point of a “no ransom” policy is that it takes the choice away from the individual, who would choose to pay it, and changes the game theory to make kidnapping not worth it.
The whole reason you need a policy at all is BECAUSE it is better for the person to pay the ransom.
appreciatorBus 12 hours ago [-]
That ransoms today are denominated in USD and that the US might be printing too many USD has nothing to do with whether or not ransoms should be paid.
The day the USD falls, ransoms will simply be denominated in something else and the same underlying collective action problem will remain.
This is just way of avoiding the core issue by blaming something unrelated that you don't like.
A: U should clean your room, it would be better for you & the rest of your family
B: FU dad, everyone knows there's no such thing as a clean room under capitalism!!!!!
WillPostForFood 12 hours ago [-]
Cash is not the real cost; the cost is by agreeing to continue printing ransom money, you cause more individuals to be kidnapped.
AlotOfReading 12 hours ago [-]
I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
applfanboysbgon 12 hours ago [-]
> I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time. They're anonymous cybercriminals after all and there are lots of reasons they might need to do that beyond reputation laundering.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
Ancapistani 11 hours ago [-]
Agreed.
This is the same problem that crypto addresses in an unregulated market - it provides attestation and continuity, but not much else.
New actors are untrusted. Trust must be built through small transactions until someone trusts you enough for larger transactions. Survive long enough without major reputational harm and you can even offer to act as an escrow service for parties with less trust.
Freak_NL 12 hours ago [-]
The name ShinyHunters is currently quite well-known due to a number of high-profile hacks (Odido in the Netherlands this year was huge). Their brand has a significant value right now.
jasonfarnon 6 hours ago [-]
How does everyone know its ShinyHunters and not someone pretending? I imagine they have some mechanism to authenticate, I'm curious what it is.
HDBaseT 6 hours ago [-]
Because ShinyHunters published they hacked Canvas on their own website.
They also redirected the canvas login pages to a ShinyHunters message, whilst this could be done by another group/person, its unlikely.
You can also validate PGP keys and TOX accounts, etc via their website.
jasonfarnon 28 minutes ago [-]
OK, I didn't realize they had a stable website all this time. I guess it's all out there in the open with these groups.
onemoresoop 12 hours ago [-]
Yeah but fewer ransomes would be paid out regardless of who is attacking. They could be spoiling their own market and am sure they would
AlotOfReading 12 hours ago [-]
That's a motivation to avoid tragedy of the commons, not because they're trying to maintain their own reputation to victims. It benefits the criminals even if they change their name.
esseph 12 hours ago [-]
>
I'm not sure that attacker reputation is particularly meaningful. The group can rebrand into a new identity at any time.
Reputation is everything in a collective.
bombcar 12 hours ago [-]
If we assume a world where ransomware is continually existent and all your data is ransomed at anytime, we'd have a world designed to work around that.
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
zbentley 11 hours ago [-]
I think you may have re-invented email reputation.
arjie 12 hours ago [-]
An idea I idly thought about is that of a "Benevolent Terrorist"[0]: one who does great harm to some number of people so that they may make it to a better world. Not entirely original, I suppose, since the Kwisatz Haderach from Dune is the trope definer. But a fun thought I had was what if you ran a ransomware company that just didn't pay? You'd screw a lot of people over but eventually you'd make ransomware a non-business the better you impersonated them and failed to deliver after taking the ransom.
What stops a ransomware group copying all data and just selling it piecemeal on the darknet under posibly a different name?
Realistically, the only people that could check that it's true are buyers, and those benefit from keeping a low profile
nradov 6 hours ago [-]
Paying a ransom should always be illegal with federal criminal charges for the employees who authorize the payment. If businesses are destroyed or people die as a consequence then those are acceptable casualties.
ashleyn 12 hours ago [-]
Another way to view this calculation: if you keep your infrastructure secure and up to date, you (very likely) don't have to pay any ransom in the first place.
joseda-hg 12 hours ago [-]
There is a line where the ransom price beats the capex of keeping a secure system, specially when the risk so nebulous
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
LastTrain 10 hours ago [-]
That operates on the idea that hacker organizations use long term strategic thinking, something the US government and a good number of corporations don’t even practice. I wouldn’t put my money on that.
john_strinlai 10 hours ago [-]
while i am not about to bet the farm on the long-term strategic thinking ability of extortion groups, they are much smaller than most corporations and the US government, thus its much easier to think strategically and execute on longer-term goals.
shinyhunters, for example, has been active and acted as a cohesive unit for the past 7 years.
esaym 12 hours ago [-]
> on the other hand, the ransomware groups that want to stay in business need to be honest
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
barkingcat 10 hours ago [-]
one issue is that modern ransomeware groups are also being hunted themselves - there are many ransomeware orgs that are themselves being ransomed so are not reliable.
even if you pay the ransom to the 1st group, the 2nd group will leak.
patrickthebold 12 hours ago [-]
So, maybe we could consider a "White Hat" ransomware group that takes the money and also leaks the data, so that long term no one bothers to pay which ultimately disincentivizes ransomware attacks?
esseph 12 hours ago [-]
White hats that take money are not white hats, those are grey hats.
LOL that's some super heavy duty optics framing on what basically amounts to "we paid out a ransom but don't worry the bad guys assured us things were okay"
aetch 12 hours ago [-]
They said “received digital confirmation of data destruction (shred logs)” - is this supposed to fool users into thinking the hackers didn’t keep any of the data?
linksnapzz 10 hours ago [-]
The criminals did not share the logs of them making a copy of the data before shredding it; so obviously that didn't happen.
I thought it was illegal to pay ransom to hackers. I guess it is legal or maybe it isn't very clear? I thought that there were certain conditions that the company had to check together with law enforcement so that at least the ransom money doesn't go to a hacker group that is on a government payments sanctions list.
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
JohnMakin 12 hours ago [-]
Not only is it not illegal, there are insurance policies set up to take care of this very scenario. It's almost always handled by a third party, not the company themselves, that would deal with any such concerns.
dylan604 12 hours ago [-]
It is illegal to pay terrorists. As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group. If they did, would they be able to send in SEAL Team 6 to handle the hackers?
Scoundreller 12 hours ago [-]
> As bad and annoying as hackers are, I'm not familiar with any government recognizing any hacking group as a terrorist group.
If you’re sending a large sum of money to $anonymoushacker, how do you ensure they’re not on some OFAC list? Or do your AML checks? Or make sure you’re not on the wrong side of Foreign Corrupt Practices act? The third party probably turns a blind eye to that cuz there’s no way of really checking.
abigail95 10 hours ago [-]
the people who do "AML checks" are the ones processing the transaction.
i don't do that every time i want to send money. private individuals don't just "run checks" - it would make commerce untenable and possibly unconstitutional.
say you get a passport, an address, a photo, a signature, a phone call - how do you verify any of this is real?
zbentley 11 hours ago [-]
Cryptocurrency mitigates most of those concerns. That's why the flourishing of crypto payment systems has been an unalloyed blessing for cybercriminals.
bluGill 9 hours ago [-]
No it does not. It makes some things harder and some things easier. The public ledger means you can track where then money flowed - you might not know who had it but you know how it flows which is interesting. I don't know if it has happened, but I've heard of proposals to make any bitcoin the traces to some transaction illegal to have, and that means nobody who might get caught will have anything to do with those.
Scoundreller 10 hours ago [-]
It can at a technical level but not at a legal level.
Your BigCo accounting department is not going to be very understanding about acquiring cryptocurrency to send to ??? for a ransom.
dylan604 9 hours ago [-]
Isn't this why in other comments people have said that companies use third parties to pay the ransom rather than paying directly?
Scoundreller 8 hours ago [-]
That’s my theory too. Setting up payments to a new vendor is hard enough even for the most legitimate.
An org’s Net30 terms aren’t going to work here…
wil421 12 hours ago [-]
If they were in Iran a drone would’ve paid a visit, based on current events. Most of them are in Russia or former Eastern Bloc like Belarus. USA and the west doesn’t want a direct conflict so the drones never pay them a visit.
Instead, they trick the hackers into going on a vacation in a country that will let them grab them.
amarant 12 hours ago [-]
A large percentage of hacking groups are state sponsored Russians. That seal response would be starting WW3 over some pii.
Protecting pii is important, but it's not that important
dylan604 12 hours ago [-]
we started the pretext to WW3 over someone wanting to move the focus of attention, so it's really not that much of a stretch.
amarant 10 hours ago [-]
Aye, I meant more in the sense of "it would be a bad idea", than "that's definitely not going to happen".
Predictions are hard, especially about the future!
altcognito 11 hours ago [-]
Man, I don’t remember Putin wanting to move the focus of attention that bad.
MagicMoonlight 12 hours ago [-]
Iran, Russia and North Korea are the biggest sources of ransomware.
fragmede 12 hours ago [-]
The cyber terrorist groups North Korean Lazarus Group and Russian groups like APT28 (Fancy Bear) are on the US SDN list, among others.
peyton 12 hours ago [-]
Search “cyber jihad” and “cyber islamic state” if you’re curious for answers.
calpaterson 12 hours ago [-]
It often is illegal to pay them. They are often on sanctions lists, or indeed in embargoed countries. And it's just generally not allowed to pay unidentifiable parties for basic anti-money laundering reasons. And a lot of countries are bringing in new legislation to make paying illegal, starting with public sector organisations. I'm sure that will only expand.
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
JohnMakin 11 hours ago [-]
I don't know where you are getting your information from. For one, it's very often unknown, by virtue of how these groups operate, where they are from or who they are affiliated with in the first place. For two, as I stated, it is such common practice to pay ransoms that there are insurance policies specifically for doing so, it's very common to purchase these as part of a SOP of a company's security policy. A business is required, often by the board/shareholders, to maintain business continuity, which is why these exist.
For three, by the FBI's own source, they don't mention anything about it being illegal, they merely advise against doing so[0] -
> The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.
I am not saying I support paying ransoms, or take any position here, I am just saying quite factually it is an extremely common practice to pay these, often via third parties that take care of any potential legality issues (which I am not aware of being super common at all, and if you are being targeted by a nation state on a sanctions list, you probably are well aware and have your own legal team/police liasons to deal with any such issues). Most ransomware attacks come from small, unknown groups.
If the bad guys get paid and release the info anyway, they not only make it less likely they'll get paid in the future, they make it less likely anyone will get paid in the future.
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
kjkjadksj 12 hours ago [-]
Why not wait a week and take the site down and ransom them again?
stavros 12 hours ago [-]
Because why would anyone pay anyone if they were going to do what they threatened you with anyway?
pmarreck 15 minutes ago [-]
Dumb move. You cannot trust that they won't leak it anyway to make additional profit, since they're not accountable except to their made-up name.
terminalbraid 12 hours ago [-]
> We received digital confirmation of data destruction (shred logs).
This is shockingly naive
j-bos 10 hours ago [-]
I imagine they are not naive, they're counting on their clients being naive.
omoikane 5 hours ago [-]
Hackers have an incentive to destroy the data as promised, because if it becomes a trend where the data is leaked despite the ransom being paid, no one would pay ransoms in the future.
Obviously this doesn't stop hackers from selling the data anyway and say "it wasn't us, someone else got the same data through a different hack".
corvad 12 hours ago [-]
What's to say they didn't copy the data then shred a copy, or hell even just fabricate some shred logs.
latexr 11 hours ago [-]
In the abstract, it’s hilarious to imagine the hackers keeping the data, then some time from now leaking it accidentally (or another hacker group hacks them) then them having to issue a public apology for not having kept the stolen data secure and having lied about shredding it.
eaf7e281 10 hours ago [-]
However, they could use it as a last resort or as a final "gift" before getting arrested or switching identities.
They might be considered "trustworthy" right now to get companies to pay them money, but no one will know what will happen in a few years when this strategy won't work anymore.
Anyway, I hope this doesn't come at all, or as late as possible.
latexr 9 hours ago [-]
> but no one will know what will happen in a few years when this strategy won't work anymore.
Good point.
> Anyway, I hope this doesn't come at all, or as late as possible.
Same. As I said, I find the idea funny in the abstract, if it didn’t affect anyone or if it were a TV show, for example. But since it does affect real people…
Groxx 11 hours ago [-]
Gotta hope that's just a PR attempt to try to save face. Though I wish companies would stop claiming it.
8 hours ago [-]
Cider9986 1 days ago [-]
>The data was returned to us.
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
I guess the incentive is for the hackers to not leak, so they can get away with the next ransom.
mbesto 8 hours ago [-]
This is a good time to point out that when there is a data breach, data is rarely stolen. The real threat and harm is when data that is stolen is used against you.
embedding-shape 12 hours ago [-]
> You wouldn't "return" data unless it was encrypted or the originals were deleted
The very next line from what you quoted:
> We received digital confirmation of data destruction (shred logs).
Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".
delichon 12 hours ago [-]
A good infotech public service project would be to maintain a public list of organizations that have succumbed to ransom demands, so that we can choose to take our business elsewhere. It would also be an act of bravery though in the face of potential liability for libel. I doubt disclaimers would evade much of that.
pretzel5297 12 hours ago [-]
So you would rather take your business to somewhere that got hacked, didn't pay the ransom, and got customer data leaked?
delichon 12 hours ago [-]
Yes, particularly if they are transparent about it.
pretzel5297 11 hours ago [-]
Yeah, sorry. I don't believe you :)
tadfisher 12 hours ago [-]
The customer data is already leaked, unless your threat model somehow includes trusting threat actors to keep said data confidential in perpetuity.
applfanboysbgon 12 hours ago [-]
ShinyHunters has a vested financial stake in not leaking the customer data. If they did, nobody would ever pay a ransom to them again. I trust ShinyHunters to look out for themselves continuing to get paid.
tadfisher 11 hours ago [-]
Sure. Do you trust every member of ShinyHunters to remain a member of ShinyHunters in good standing, and to resist the temptation to exfiltrate the data in the process of exiting ShinyHunters?
applfanboysbgon 11 hours ago [-]
I would expect ShinyHunters to understand that traitors pose an existential threat to the group and to take measures to prevent a lone wolf from selling them out easily. That they have existed for 7 years already indicates they are probably not so amateur as to allow any individual member to walk off with data that would compromise their operation.
skywhopper 10 hours ago [-]
This is a really silly take. Instructure also had a financial incentive not to get hacked. And yet…
applfanboysbgon 10 hours ago [-]
No, it actually doesn't, which is the problem. The market has shown that there are no financial consequences to any company that gets hacked. Instructure could have just as well not paid the ransom, as many companies don't, and continued to be fine. Even if they do pay the ransom, it is likely that it is less than it would have costed them to engineer secure systems, so even if you take paying ransoms as necessary market incentives still steer you to ignoring security.
aetch 12 hours ago [-]
If you believe the hackers didn’t keep a copy of the data, you’re the target market.
jsLavaGoat 12 hours ago [-]
Both of them got hacked so... yes.
latexr 11 hours ago [-]
Theoretically, if it happened before and the ransom wasn’t paid, there’s both an incentive by the service to improve their security practices and a disincentive on the hackers to target that business.
Waterluvian 11 hours ago [-]
I wonder if, longer term, we're better off if a company like this were in some way destroyed as a result of getting hacked and paying a bribe.
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
cube00 11 hours ago [-]
I've never seen a company blame a data breach as the point where they started going bankrupt.
Customers never migrate on mass after a breach, 7000 underfunded and overworked education institutions are not migrating on mass.
So I feel safe to say there's no lasting impact to a company when a data breach occurs.
This will all be forgotten in a few months.
Ancapistani 9 hours ago [-]
To be fair, I don't think I've ever seen a company identify the inflection point after bankruptcy, accurately or not.
corvad 12 hours ago [-]
I suspected as much as it disappeared from the ShinnyHunters page and it recovered so fast. The main thing I'm interested in knowing was how much was paid. Also I don't really like their statement that the data is safe or destroyed, those promises seem a little questionable with regards to these incidents.
How does things like this work in terms of bookkeeping? How do they label the expense? Can a company send huge amounts of money to an unknown crypto account without needing to explain anything to the tax authorities?
mewse-hn 10 hours ago [-]
It's the insurance company paying the ransom and I assume they tie the payment to the insurance policy they are fulfilling, I don't know what the tax implications would be, I am not in finance or an accountant
acomjean 10 hours ago [-]
“Data recovery”?
kryogen1c 5 hours ago [-]
Everyone's making a lot of good points about game theory and economic motivations, but there is a much more important and self-serving point: when you pay a ransom, hackers come after your shit x10.
Paying a ransom signals 3 things:
1) you are vulnerable to attack
2) you cannot recover from an attack
3) you've got cash
The result is that you get attacked much, much more. You could ask me how I know, but I wouldn't tell you :)
evantahler 11 hours ago [-]
Being that this is HN, do we know how they got hacked? Can we learn something about protecting our services?
cube00 11 hours ago [-]
We’re currently working to identify a robust list of Indicators of Compromise (IOCs) and will make those available to our customers.
It worries me they've only committed to making it available to their customers and not the public.
layman51 11 hours ago [-]
I read online that it has to do with their "Free-For-Teachers accounts" which I assume is a way for teachers to get access to Canvas services for free when their school doesn't subscribe to it.
I don't know for sure, but I think it probably had to do with some kind of misconfiguration on an Salesforce Experience Cloud site. I have heard that ShinyHunters often exploits this type of service and that it is very easy for companies to forget to set the right permissions to data and they end up throwing a bunch of different data into Salesforce.
sheept 11 hours ago [-]
This blog post[0] suggests that, based on their changelog after the incident, the hackers may have extracted session tokens using XSS in a support ticket. Then the ransom note was displayed using a custom theme.
Surely if they are demanding a ransome they somehow got server access to delete data. Would seem kind of insane to pay a ransome solely for an XSS.
sans_souse 11 hours ago [-]
I would love to know the amount of ransoms paid by large companies who've been compromised without the public being informed. How much that undisclosed amount impacts inflation and the economy today is not talked about nearly enough, imo.
11 hours ago [-]
corvad 12 hours ago [-]
> Has law enforcement been engaged? Yes. We've notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.
Hmm. I thought all these agencies say NOT to pay a ransom.
bluGill 9 hours ago [-]
Not always. They have been known to give "marked bills" to pay with in the past. A lot can be learned by watching how ransom money moves around (bit coin is very traceable this way). Sometimes paying a ransom is an important part of finding and arresting the guilty.
biesnecker 12 hours ago [-]
Engaged != listened to.
rottencupcakes 12 hours ago [-]
What on earth does "returned the hacked personal data" mean?
yakkomajuri 12 hours ago [-]
I believe attacks like this often include copying data and then deleting it from the victim's servers.
Although of course returning is a weird term in the sense that the attackers will almost certainly keep the data as well.
TruffleLabs 4 hours ago [-]
"The deal with the hackers included the return of stolen data and digital evidence that copies had been deleted, Instructure said."
does "yes, I deleted the data" in an email count as digital evidence?
Freak_NL 12 hours ago [-]
How is Instructure getting away with paying off the ransomware hackers? Is that still legal in Utah or something?
ibejoeb 12 hours ago [-]
This happens every day, and there doesn't seem to be anything interesting about this case. It's how most situations are resolved. There are money transmitters that specialize in ransoms. They "do" sanctions checks that are about as good as you suspect they are.
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
__MatrixMan__ 10 hours ago [-]
I'm curious about the open source competition (https://github.com/moodle/moodle is my first find, there are likely others) and what they could've made happen with that money if they had received it instead as an investment re: not worrying about future ransomware attacks.
skywhopper 10 hours ago [-]
Canvas itself is also open source (https://github.com/instructure/canvas-lms), which was the big appeal of it originally in a world where Blackboard had a stranglehold on the LMS market.
__MatrixMan__ 9 hours ago [-]
Huh, neat! I had just assumed otherwise because everything else my university uses is nine kinds of proprietary.
Like, they recently tried to sell me to McMillian who then tried to sell me the "submit homework" button for $20. I complained and got exempted from having to submit homework, but that's par for the course in edtech right now.
applfanboysbgon 11 hours ago [-]
I've seen half a dozen comments in this thread suggesting that paying hacking ransoms should be illegal, but I strongly disagree, for multiple reasons. I'll just make this a top-level comment rather than picking one to reply to.
(1a) Multiple have suggested that the US made it illegal to pay kidnapping ransoms. This is a misconception. The US adopted a policy that the government itself would not pay ransoms, but explicitly noted this did not apply to the victims. "The U.S. Department of Justice does not intend to add to families’ pain in such cases by suggesting that they could face criminal prosecution."
(1b) Despite this policy, the US pays ransoms anyways. Usually in the form of prisoner swaps, but in 2023 it released $6 billion in frozen Iranian funds in exchange for the release of 5 hostages[1].
(2) The belief that paying ransoms should be illegal is predicated on the belief that criminals will be less likely to commit the crime if there is no money to be made. This may be true for kidnapping, but that does not mean it would be true for hacking. Kidnapping is a high-stakes, high-commitment crime that requires physical presence and exposes the criminal to significant danger. If the criminal anticipates no reward, the risk-reward calculus skews them away from kidnapping. However, hacking is a low-risk crime. Even if the chance of reward is low, the risk is also low, so hackers are unlikely to be deterred from hacking. Many hackers will do it just for fun or to prove that they can. Moreover, hackers can profit in other ways, for example by selling the data on the black market, or by making use of the data themselves as a nation-state or corporate espionage actor. Hacking will undoubtedly continue as long as things can be hacked, regardless of whether ransoms are ilegal.
(3) Making ransoms illegal pushes the burden onto people who have no real ability to do anything about it. When a company fails to pay ransom, it is the customers who suffer. It does not materially affect the company in any way to have customer data leaked. The market has already shown, overwhelmingly, that it will not punish companies that leak user data. That a company pays a ransom to begin with indicates that they don't actually understand the market and/or have some small shred of a conscience. Rather than making it illegal to pay ransoms, I would rather see penalties for having a data breach in the first place, but once a data breach is assured, companies should be paying ransoms to try to mitigate the damage to their customers.
(4) The idea of trying to solve hacking by making it illegal to pay ransoms is ridiculous on its face. As long as systems are insecure, hackers will exist, so the legal emphasis should be on consequences for data security. The collection of PII that is not essential to providing a service to customers should be discouraged, and there should be real consequences for negligent security. There should be an investigative board similar to those for airline crashes and infrastructure collapse, which examines the circumstances in depth and identifies whether the company is at fault for negligent handling of PII.
If customers suffer when a company doesn’t pay ransom - that’s a good thing.
Those (now former) customers can the be patrons of a competitor that doesn’t let such happen again.
applfanboysbgon 1 hours ago [-]
That's just not reality. Not least of which because competitors are exactly the same when it comes to security. Even if they weren't, security isn't something the market can realistically select for because it's not verifiable from a customer's perspective. A customer can clearly see, say, a price difference or feature difference, but cannot see a security difference in any meaningful sense. This is something that needs to be enforced at a regulatory level, there are many problems the free market cannot solve, and in fact market forces actively incentivize neglecting security.
HDBaseT 5 hours ago [-]
The problem is paying ransom to these groups gives teenagers millions of dollars in crypto to spend on more exploits and more insiders.
It is a race to the bottom. The teenagers have effectively unlimited time, millions of dollars and rocket launchers.
linksnapzz 10 hours ago [-]
The moral hazard of companies escaping scrutiny of their poor practices while simultaneously subsidizing the behavior that takes advantage of said poor practices at other companies needs to be addressed.
Zigurd 12 hours ago [-]
There shouldn't have been a need to give into hackers, even highly successful hackers. If they're not doing air-gapped backups weekly, that's malpractice and hints at a substandard architecture and/or operations. On a short enough full backup schedule all of Canvas's customers should've been able to recover based on their own copies of assignments and test results. And a policy like that should've been in the SLAs.
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
applfanboysbgon 12 hours ago [-]
Backups do nothing to protect your customers from getting extorted to avoid their data being leaked.
Zigurd 11 hours ago [-]
What extortable content should schools be creating? And if they are it's crazy that they are trusting it to school SaaS.
joseda-hg 11 hours ago [-]
Enrollment or courses might not be generally super sensible, but financing/financial data, personal identification like phone numbers and emails, chat logs and such
applfanboysbgon 11 hours ago [-]
I mean, something as simple as name + grades is extortable. There are plenty of students who would not want their bad grades to be public information, and who would be upset with their school if the school allowed that to be leaked, or who may personally pay an extortion if contacted directly.
I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.
What data held by Instructure is so critical it warrants a ransom payment?
HDBaseT 5 hours ago [-]
Tons of stuff, usernames, first name, last name, email addresses. - Most of this stuff isn't "private" per se, but its also not publicly index-able for a reason.
Conversations between students, conversations between teachers and other students/staff or teachers. Course content, etc.
SilverElfin 1 days ago [-]
Given they were hacked multiple times, couldn’t they just be targeted again by the same or different group? Why would it stop here?
Freak_NL 12 hours ago [-]
The same group has a reputation to uphold (i.e., that of 'honourable' criminals), so they just move on to the next target, who will, incidentally, know that they are absolutely true to their word. (This is why paying off ransomware hackers is being made illegal in a number of countries.)
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
felooboolooomba 12 hours ago [-]
So they hacker group could create an unregistered subsidiary and hack some more?
Freak_NL 12 hours ago [-]
Sure. In all likelihood ShinyHunters will 'gracefully' point out the weak spots leveraged in the system of the 'customer' upon receiving payment to prevent this happening again next week.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
OneDeuxTriSeiGo 12 hours ago [-]
They could but also why would they?
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
esafak 11 hours ago [-]
If you squint you can think of it as pen-testing done economically right: how much do you really value your data??
OneDeuxTriSeiGo 11 hours ago [-]
NGL that's pretty much what it is.
On the one side you have white hat hackers and pen-testers who you pay a contract or salary to prod your system. If you really piss them off (i.e. by stiffing them of their pay) some might just steal your data and threaten to leak it unless you pay them.
On the other side are black hat hackers who will drive by your system and if they find a way to break in they'll offer to keep your data private for a ransom fee. And maybe if you have some charisma, decent pay, and/or a good repertoire you might recruit them on/convert them into white hats for your org.
somenameforme 12 hours ago [-]
Simple economic motivations from the hackers. They've hacked a lot of different companies. [1] If they didn't keep their word then companies would have no incentive to pay, and vice versa when they do keep their word.
I think Instructure has made themselves a target. I'm a professor at a college that uses Canvas and I'm going to be making sure I download the gradebook for my classes more often from now on.
enceladus06 10 hours ago [-]
It might make more sense for Shinyhunters to request a reoccuring charge to smooth out their revenue stream. Basically protection money as it was called in the good old days.
This is of course assuming that Instructure continues to be relevant, and that students still believe that college education holds economic or social value.
xvxvx 12 hours ago [-]
Michael Jackson paid the ransom and look what happened to him.
doublerabbit 12 hours ago [-]
It would be amusing to discover it turned out that the hackers were 14 year old teenagers, bored with school.
cheschire 12 hours ago [-]
The defendant, who calls himself “zero cool”, has repeatedly committed criminal acts of a malicious nature.
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.
Instead of paying ransom, and creating a ransomware criminal industry out of thin air, its better to force companies to recover and restore from backups and remove monetary incentive for crime.
and the executives who failed to carry regular backups obviously should face the music
the only outcome I got from their incidents is 1 year free "identity protection service" which I didnt use.
Should be a lesson for Instructure to have proper architecture and do not store PII they dont need in their processes.
Leaks are inevitable, but the current situation is absurd. The liabilities and incentives to do anything about them are virtually nonexistent and security is almost always viewed as a cost.
Infrastructure’s motivations must have lain elsewhere…
No, for the same reason fence manufacturers aren't financing burglers.
They'll just use it on more exploits, more nonsense. It's a race to the bottom. Sister group, Lapsus$ (parent group ShinyHunters) has published on their website they will pay for inside access to company networks. The group says they don't want data, they just want an avenue.
This is what happens when we keep paying these criminals millions in hard-to-trace crypto.
I do find it all a bit funny though.
KYC is a tool to prevent money laundry and it's typically an obligation of financial institutions. Sending money to an anonymous (to you) recipient is generally not a KYC violation if you are not in the money transmitting business and you aren't doing the payment on behalf of someone else.
There are infinite shades of gray in this topic, of course, but I can't see AML being relevant in this particular case.
From Claude, maybe it's a little nuanced compared to conservative corporate policies, but doesn't feel very legal: "You can be charged with money laundering (18 USC 1956/1957 in the US, equivalents elsewhere) if you knowingly — or with willful blindness — process proceeds of crime. "I didn't ask" is not a defense if the circumstances were suspicious; deliberately avoiding KYC to preserve deniability is exactly what willful blindness doctrine targets. The recipient doesn't need to be formally sanctioned; the funds just need to be tainted."
Extortion and terrorism seem similar in many ways except the latter involves physical harm.
I’d asssume a company paying money to terrorists shouldn’t be acceptable.
It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.
Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
You are paying an extra fee for not testing your own software and infrastructure. It was instead tested by a third party. Be glad it wasn't tested by a nation state actor or someone who wanted to do more harm to your customers than just asking for money.
Ideally they should now secure their infrastructure and take this as a gentle reminder that they should spend more on security.
>Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.
You would hope they would then upgrade the cardboard.
And yes, the companies executive should be jailed.
Probably should consult an attorney before paying a ransom (whether for kidnapping or other purposes).
Its a boon to both the company and the country when a hacker makes a big public deal out of it. Because they get the chance to repair something before its intentional damaging misuse by a hostile state actor.
The hackers here deserve every cent plus possibly more.
And theres always the problem that the hackers would still get paid, they just wont report the payments making tracking difficult.
Not really. Muggings are both more common and less traumatic than kidnappings. This is reflected in the fact that common and maximum sentences for kidnappings are universally more extreme than those for muggings.
> Would you really deny people the ability to save their loved ones?
...yes. Because it means significantly fewer kidnappings. "Deny people the ability to save their loved ones" is tantamount to "help others to lose their own."
Idk. That’s a step (sentencing guidelines) after we decide it should be criminalized.
> The maximum sentence is less than mugging after all..
They’re in the same ballpark, 2 to 6 years or so.
You decide it should be criminalized before you identify any harms?
> They’re in the same ballpark, 2 to 6 years or so.
You can just look it up. Maximum sentence for mugging is 30 years, ransomware is 20.
No. We have a measure of the harms. We haven’t balanced them for sentencing. Again, deciding something should be illegal doesn’t require obsessing over the sentence ex ante.
> Maximum sentence for mugging is 30 years
Not the norm, either for maximums [1] or usual sentences.
[1] https://en.wikipedia.org/wiki/Robbery_laws_in_the_United_Sta...
I think the Bloomberg Odd Lots guy wrote a blog post on this: you could attempt to short the stock but a) this leaves a paper trail b) the market might not know about the breach or believe you if you post you’ve done it. IIRC some hackers have tried to tell companies that they are legally required to disclose the breach to their shareholders to force market movements.
Or do both i suppose, just because someone pays a ransome there is no garuntee the hacker destroys the data.
Russia, and North Korea are the main names that come up as exceptions, they will protect their own people.
After all a lot of the data companies have isn't their own, it's their customers. They are the ones who suffer because businesses don't bother securing their crap.
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
Each individual company is probably better off paying the ransom, but everyone would be better off if no one paid a ransom.
This is why the United States, for example, has an official no-ransom policy, and why other no-ransom policies exist. You have to have something forcing the individual victim to not pay, otherwise they will always be incentivized to pay and ransoms will continue to be profitable.
https://en.wikipedia.org/wiki/Collective_action_problem
https://en.wikipedia.org/wiki/Prisoner%27s_dilemma
https://www.kiplingsociety.co.uk/poem/poems_danegeld.htm
You're then a target known to be vulnerable and pay ransoms, so best focus on security.
They might not believe that, but if you're at the point where you're paying anyway, you might as well try to get that commitment from them.
It's not a good situation to be in, but still, try to make the best of it.
For any individual within the ransom group, they can get a big payout by selling the data.
Messages between students and instructors? Likely pretty boring, but possibly embarassing or confidential for a given individual.
Grades? Could be a FERPA violation.
Critical PII such as SSNs? Probably not in the LMS to begin with.
Though I wouldn't be surprised if some 40 year old university IT system requires its use as an identifier, regardless of whether or not it gets printed anywhere.
Yikes.
But it is 100% happening.
People do amazingly stupid things with systems, especially when they don't have enough people with the expertise to set them up properly, so they just throw things in there without stopping to think about whether or not it's a good idea.
The only people it’s valuable for is the ransomee, because they don’t want the reputational hit of having their data everywhere.
You are leaking email addresses that likely otherwise wouldn't be out there publicly. Whilst email addresses and names are "effectively" public, they aren't just in a one big database anyone on the planet can access.
Every single one of those email addresses will receive increased spam and phishing attempts, with more isolated information (such as School, First+Last Name, Subjects, Teachers/Lecturers, etc) the phishing attempts can be more refined.
i.e, Student receives an email that looks like its from their school (has email footer, has student name, has relevant teacher name, subject name, etc), the user is now more likely to click some sketchy link.
These little identifiers add up, especially when cross-references with other leaks. Even more problematic when most of the users wrapped up in a leak like this are under 18 too.
A lot of this stuff could be done previously, although the effort and scale to do so would of been higher/harder.
They've already proved themselves to be untrustworthy simply by ransoming you in the first place.
But just like fail2ban, this gives someone else decision-making control over your actions, which can be abused.
This will progress the game theory to the point where nobody will pay ransom because the thieves won't honor the deals anyway.
I doubt if everyone would be better off if state level actors found and used these vulnerabilities instead of ransom seekers.
The real value though is enough people consider themselves honest and won't do anything they know is illegal. They already hate dealing with criminals, but so long as paying is legal they might do it, but as soon as it affects their moral code they won't. The whole system collapses because just a few people saying no to paying means the kidnappers lose money on too many operations.
Except for payments to specifically sanctioned organizations, the policy is "we'd really rather you didn't do that, but whatever".
The specific sanctions don't cover most of the groups, either, and even when they do cover the group who got paid, you can't necessarily prove the people who got paid were the ones on the list. And there may be a scienter requirement even then; I don't know.
Making a list of specific criminals you can't pay is just stupid. No ransoms, ever, period, or it's da slammah.
If no one pays the ransoms, but people believe that large ransoms are paid-- you still have the crime.
The general public (including the next victims) don't have a way to confirm if payment was made. ShinyHunters would have to choose between arguing publicly that they were not paid or not releasing the data to protect their own reputation...
I do think that the partial information problem relating to new entrants into this market is interesting though.
The number of potential threat actors with partial/no information but that might speculate based on grandiose visions of ransom or outdated history is high.
We see dumb attempts at real-world ransoms/extortion which don't get paid at a pretty high clip based on this kind of partial knowledge.
You'll probably get your data leaked anyways, potentially get compromised again (see Instructure situation) and end up in a way worse place if you just shut up and paid it, or let it leak normally.
Like you said (and like I said in my post), for an individual kidnap victim, the best option would be to pay the ransom. It is better to pay the money and be free.
However, that means a kidnap group now has more money, which will make them better able to kidnap another victim and demand more money.
The point of a “no ransom” policy is that it takes the choice away from the individual, who would choose to pay it, and changes the game theory to make kidnapping not worth it.
The whole reason you need a policy at all is BECAUSE it is better for the person to pay the ransom.
The day the USD falls, ransoms will simply be denominated in something else and the same underlying collective action problem will remain.
This is just way of avoiding the core issue by blaming something unrelated that you don't like.
A: U should clean your room, it would be better for you & the rest of your family
B: FU dad, everyone knows there's no such thing as a clean room under capitalism!!!!!
The calculus for the victims doesn't seem to change much whether the same people are using a "new" name or an old one to hold their systems hostage.
It is very meaningful. You seem to equate that "new" = "trust by default", but a new group is distrusted by default. Let's say that for a new group which is unproven to hold up their end of the deal, only 5% of victims will pay the ransom. But if you've built up a reputation over 5 years of honoring your ransoms, then maybe 50% of your victims will pay the ransom. Reputation is literally everything here. I doubt Instructure would have paid such a high-profile ransom if they didn't have a strong reason to believe it would work.
This is the same problem that crypto addresses in an unregulated market - it provides attestation and continuity, but not much else.
New actors are untrusted. Trust must be built through small transactions until someone trusts you enough for larger transactions. Survive long enough without major reputational harm and you can even offer to act as an escrow service for parties with less trust.
You can also validate PGP keys and TOX accounts, etc via their website.
Reputation is everything in a collective.
We'd either end up with a Discworld "Ransomware Guild" that you pay "insurance" to and they murdicate anyone who dares do extracurricular data ransoming, or you'd have systems build on end-to-end encryption where the data is worthless.
What could go wrong? ;)
0: https://wiki.roshangeorge.dev/w/Benevolent_Terrorist#Poisoni...
Realistically, the only people that could check that it's true are buyers, and those benefit from keeping a low profile
Kind of like the recall math auto makers do to see if it's more expensive to actually recall a manufacturing problem, or just deal with it and compensate those who seek it personally
shinyhunters, for example, has been active and acted as a cohesive unit for the past 7 years.
I was thinking about that the other day. Honestly I'm not sure it matters. I feel like if a company didn't pay the ransom that would possibly open them up to lawsuits or something because they "tried nothing". At least paying it makes it look like they did something and could be some sort of legal defense. But again I'm not a lawyer.
even if you pay the ransom to the 1st group, the 2nd group will leak.
https://en.wikipedia.org/wiki/Grey_hat
Also, does anyone know the root cause of the attack? I read a rumor online (but it's not really confirmed anywhere) that it may have had to do with the common pattern of ShinyHunters where they use a vulnerability in a Salesforce Experience Cloud site. What is confirmed for sure is that the vulnterability involved the feature of Canvas called "Free-For-Teacher accounts".
If you’re sending a large sum of money to $anonymoushacker, how do you ensure they’re not on some OFAC list? Or do your AML checks? Or make sure you’re not on the wrong side of Foreign Corrupt Practices act? The third party probably turns a blind eye to that cuz there’s no way of really checking.
i don't do that every time i want to send money. private individuals don't just "run checks" - it would make commerce untenable and possibly unconstitutional.
say you get a passport, an address, a photo, a signature, a phone call - how do you verify any of this is real?
Your BigCo accounting department is not going to be very understanding about acquiring cryptocurrency to send to ??? for a ransom.
An org’s Net30 terms aren’t going to work here…
Instead, they trick the hackers into going on a vacation in a country that will let them grab them.
Protecting pii is important, but it's not that important
Predictions are hard, especially about the future!
Frankly, you pay a ransom at your peril. If it turns out it was North Korea you may well go to jail for it.
For three, by the FBI's own source, they don't mention anything about it being illegal, they merely advise against doing so[0] -
> The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. If you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.
I am not saying I support paying ransoms, or take any position here, I am just saying quite factually it is an extremely common practice to pay these, often via third parties that take care of any potential legality issues (which I am not aware of being super common at all, and if you are being targeted by a nation state on a sanctions list, you probably are well aware and have your own legal team/police liasons to deal with any such issues). Most ransomware attacks come from small, unknown groups.
[0] https://www.fbi.gov/how-we-can-help-you/scams-and-safety/com...
Even other bad guys have an incentive to stop these bad guys from leaking the info after getting paid.
This is shockingly naive
Obviously this doesn't stop hackers from selling the data anyway and say "it wasn't us, someone else got the same data through a different hack".
They might be considered "trustworthy" right now to get companies to pay them money, but no one will know what will happen in a few years when this strategy won't work anymore.
Anyway, I hope this doesn't come at all, or as late as possible.
Good point.
> Anyway, I hope this doesn't come at all, or as late as possible.
Same. As I said, I find the idea funny in the abstract, if it didn’t affect anyone or if it were a TV show, for example. But since it does affect real people…
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
[1] https://www.youtube.com/watch?v=IeTybKL1pM4
[2] https://search.brave.com/search?q=monero+price&rh_type=cc&ra...
[3] https://xcancel.com/zachxbt/status/2012212936735912351
[4] https://archive.ph/4zD7f
[5] https://archive.ph/NYWbJ
The very next line from what you quoted:
> We received digital confirmation of data destruction (shred logs).
Now, color me surprised if they didn't delete it, but I'm guessing this is why they call it "returned", since from their beliefs, the data was deleted after it was "returned".
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
Customers never migrate on mass after a breach, 7000 underfunded and overworked education institutions are not migrating on mass.
So I feel safe to say there's no lasting impact to a company when a data breach occurs.
This will all be forgotten in a few months.
[1] https://xcancel.com/search?f=tweets&q=1968412640398430555
Paying a ransom signals 3 things: 1) you are vulnerable to attack 2) you cannot recover from an attack 3) you've got cash
The result is that you get attacked much, much more. You could ask me how I know, but I wouldn't tell you :)
https://www.instructure.com/incident_update
It worries me they've only committed to making it available to their customers and not the public.
I don't know for sure, but I think it probably had to do with some kind of misconfiguration on an Salesforce Experience Cloud site. I have heard that ShinyHunters often exploits this type of service and that it is very easy for companies to forget to set the right permissions to data and they end up throwing a bunch of different data into Salesforce.
[0]: https://cyber.acmucsd.com/canvas (disclosure: I was involved with this org when I was a student)
Hmm. I thought all these agencies say NOT to pay a ransom.
Although of course returning is a weird term in the sense that the attackers will almost certainly keep the data as well.
does "yes, I deleted the data" in an email count as digital evidence?
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
Like, they recently tried to sell me to McMillian who then tried to sell me the "submit homework" button for $20. I complained and got exempted from having to submit homework, but that's par for the course in edtech right now.
(1a) Multiple have suggested that the US made it illegal to pay kidnapping ransoms. This is a misconception. The US adopted a policy that the government itself would not pay ransoms, but explicitly noted this did not apply to the victims. "The U.S. Department of Justice does not intend to add to families’ pain in such cases by suggesting that they could face criminal prosecution."
(1b) Despite this policy, the US pays ransoms anyways. Usually in the form of prisoner swaps, but in 2023 it released $6 billion in frozen Iranian funds in exchange for the release of 5 hostages[1].
(2) The belief that paying ransoms should be illegal is predicated on the belief that criminals will be less likely to commit the crime if there is no money to be made. This may be true for kidnapping, but that does not mean it would be true for hacking. Kidnapping is a high-stakes, high-commitment crime that requires physical presence and exposes the criminal to significant danger. If the criminal anticipates no reward, the risk-reward calculus skews them away from kidnapping. However, hacking is a low-risk crime. Even if the chance of reward is low, the risk is also low, so hackers are unlikely to be deterred from hacking. Many hackers will do it just for fun or to prove that they can. Moreover, hackers can profit in other ways, for example by selling the data on the black market, or by making use of the data themselves as a nation-state or corporate espionage actor. Hacking will undoubtedly continue as long as things can be hacked, regardless of whether ransoms are ilegal.
(3) Making ransoms illegal pushes the burden onto people who have no real ability to do anything about it. When a company fails to pay ransom, it is the customers who suffer. It does not materially affect the company in any way to have customer data leaked. The market has already shown, overwhelmingly, that it will not punish companies that leak user data. That a company pays a ransom to begin with indicates that they don't actually understand the market and/or have some small shred of a conscience. Rather than making it illegal to pay ransoms, I would rather see penalties for having a data breach in the first place, but once a data breach is assured, companies should be paying ransoms to try to mitigate the damage to their customers.
(4) The idea of trying to solve hacking by making it illegal to pay ransoms is ridiculous on its face. As long as systems are insecure, hackers will exist, so the legal emphasis should be on consequences for data security. The collection of PII that is not essential to providing a service to customers should be discouraged, and there should be real consequences for negligent security. There should be an investigative board similar to those for airline crashes and infrastructure collapse, which examines the circumstances in depth and identifies whether the company is at fault for negligent handling of PII.
[1]https://2021-2025.state.gov/briefings/department-press-brief...
Those (now former) customers can the be patrons of a competitor that doesn’t let such happen again.
It is a race to the bottom. The teenagers have effectively unlimited time, millions of dollars and rocket launchers.
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
I certainly do think it's crazy that schools are selling out education to SaaSification, but that is normal in the world we live in.
(https://www.instructure.com/incident_update#:~:text=STATUS%2...)
Conversations between students, conversations between teachers and other students/staff or teachers. Course content, etc.
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
On the one side you have white hat hackers and pen-testers who you pay a contract or salary to prod your system. If you really piss them off (i.e. by stiffing them of their pay) some might just steal your data and threaten to leak it unless you pay them.
On the other side are black hat hackers who will drive by your system and if they find a way to break in they'll offer to keep your data private for a ransom fee. And maybe if you have some charisma, decent pay, and/or a good repertoire you might recruit them on/convert them into white hats for your org.
[1] - https://en.wikipedia.org/wiki/ShinyHunters
This is of course assuming that Instructure continues to be relevant, and that students still believe that college education holds economic or social value.