The Ransom Dilemma: When Paying Up Isn’t Always a Bad Idea

The recent ransomware attack on education platform Canvas has sparked debate over whether companies should pay hackers to regain access to their systems. Governments and cybersecurity experts advise against paying ransoms, but some argue that it’s the lesser of two evils when compared to potential consequences.

Instructure’s decision to “reach an agreement” with the hacking group ShinyHunters has left many questions unanswered. While it’s impossible to say for certain whether they paid the $10 million ransom demand, experts point out that paying ransoms has become a grim reality for companies worldwide. According to Akamai’s 2025 ransomware state of the industry report, governments across the globe advise against paying ransoms, yet many ultimately do.

The hacking group ShinyHunters is notorious for extortion, having made a name for themselves by threatening to leak sensitive data unless their demands are met. Their tactics are brazen and predictable, raising questions about the effectiveness of paying ransoms. Does it truly prevent further harm, or does it simply fund more cybercrime?

In Australia, where over two dozen universities and schools were affected, the sanctions office has made it clear that paying attackers could be a criminal offense. However, this hasn’t deterred businesses from making payments. A recent report found that 75 companies with turnovers of at least $3 million paid ransoms as of January 2026, with an average payment of $711,000.

Cybersecurity experts argue that paying up doesn’t guarantee data destruction or prevent further harm. In fact, it can create a perverse incentive for hackers to continue their extortionist activities. However, companies are often left with little choice when faced with the threat of sensitive data being leaked.

Businesses are getting better at preparing for cyber-attacks, but this hasn’t reduced the number of ransomware incidents. Instead, companies are focusing on trying to stop further harm by paying hackers to release data. This raises questions about the trust factor involved in these negotiations. Can businesses truly rely on hackers to act in good faith?

The answer lies in understanding the motivations behind ransomware attacks. Hackers need to demonstrate their honesty to potential victims, creating a cycle of extortion that’s difficult to break. Companies are caught between making a payment and risking further harm or refusing to pay and potentially facing catastrophic consequences.

Instructure’s decision may have been seen as a necessary evil, but it also raises questions about the future of ransomware attacks. Will it encourage more companies to follow suit, creating a culture of paying up rather than preparing for cyber-attacks?

The truth is that there’s no easy answer when it comes to ransomware. Companies must weigh their options carefully and consider the potential consequences of each choice. While paying ransoms may seem like a pragmatic solution in the short term, it creates a long-term problem by funding more cybercrime.

As the ransomware landscape continues to evolve, companies must adapt their strategies for dealing with these attacks. This includes investing in robust cybersecurity measures and preparing for the worst-case scenario. However, ultimately paying ransoms is not a viable long-term solution. It’s time for companies to take a stand against ransomware and refuse to be held hostage by extortionists.

The stakes are high, but one thing is clear: the status quo won’t change unless companies and governments work together to address this growing threat. The future of cybersecurity depends on it.