Data Protection Network
CONTACT US
NEWSLETTER

Ransomware attacks: should you ever pay?

Simon Blanchard
May 2026

Hackers recently threatened to publish a high volume of information following a ransomware attack affecting the Canvas platform. This software is used by education providers worldwide and the attack is estimated to have affected 9,000 institutions and a staggering 275 million students and staff across the UK, US, Canada and Australia.

In an attempt to prevent publication, the tech firm behind the software has announced its “reached an agreement with the unauthorised actor”. In a statement Instructure said; “While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible.”

While full details have not been published, the company has confirmed the following:

the data was returned to the company;
it received “digital confirmation of data destruction”;
it had been informed that no Instructure customers would be extorted as a result of the incident;
the agreement covers all affected customers, with no need for individuals to engage with the hackers.

What hasn’t been confirmed by either side is whether payment was made. However, Shiny Hunters, the group which claims it was behind the attack, routinely operate by forcing victims to make bitcoin payments.

To pay or not to pay?

Instructure’s actions are understandable and they won’t be the first of last to engage with their attackers. However, the advice from regulators and law enforcement agencies around the world is not to pay cyber criminals.

Not only does payment encourage further attacks, with money gained used to fund more criminal activity, there are also no guarantees when you’re negotiating with criminals. There have been cases in the past where the criminals have failed to hold up their side deal and data has been leaked onto the dark web regardless.

Conversely, you could argue it’s in the self-interest of extortion groups to demonstrate they are ‘trustworthy’ when making a deal, otherwise no one would ever pay up, and their operating model would quickly fail.

It’s a dreadful balancing act for any organisation to face. In Instructure’s case we can just hope the Shiny Hunters don’t renege on the agreement.

While it’s rare in any jurisdiction for there to be an outright ban on paying cyber criminals, the UK’s Cyber Security and Resilience Bill proposes introducing targeted ransom payment bans for all public sector bodies, local government and operators of Critical National Infrastructure (CNI).

Furthermore, it’s worth noting the ICO would not expect you to pay and urges any organisation affected a ransomware attack to engage with them and the National Cyber Security Centre (NCSC) at the earliest possible opportunity.

What is ransomware?

Ransomware is a malicious software used by bad actors to encrypt and target an organisation’s system folders or files. Sometimes the data may be exfiltrated (exported) too. A ransom demand often follows, asking for payment.

This could be a huge sum of money, paid in exchange for the decryption key and an assurance the data the attacker claims to have exfiltrated will be deleted. In other words, it will not be published on the dark web, shared with others or use against the interests of affected data subjects. But as already said, there are no guarantees.

Increasingly sophisticated attacks

Attacks are becoming increasingly sophisticated. Bad actors can buy ‘off the shelf’ cyber-attacks via the dark web and alarmingly AI is being weaponised by cyber criminals to scale up their operations, to automate and execute targeted attacks.

Once attackers gain access to a system, their next objective is to “break out” and move laterally to find high-value assets. The speed or “breakout time” determines how fast cyber defences must respond to protect assets and reduce the costs and damages associated with a cyber breach. CrowdStrike reports that breakout time has significantly decreased over recent years; around a 70% reduction from 2021 to 2025. So cyber defences need to be capable of identifying and closing them down much faster.

How to mitigate the risk

The NCSC continues to issue frequent warnings of increased cyber-attacks in the UK. The sad reality of seemingly daily reported attacks is having the effect of persuading many to invest more money and resources on preventative measures. There are a multitude of measures you can take, and what’s realistic to implement will very much depend on the size of your organisation and your risk profile.

The NCSC has published free guidance on steps to take: mitigating malware and ransomware attacks and the ICO has published helpful ransomware guidance. For small-to-medium sized business we’ve published some key steps to implement: combatting cyber threats.

In summary, I won’t pass judgement on whether Instructure was right or wrong to go down the route they did. In reality a business might find its operations crippled following an attack, and paying the criminals may feel like the best option to try and protect individuals and keep the business afloat. But there are never any guarantees when engaging with criminals and the data may still be leaked even if you’ve paid up.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Related Articles

ICO fines water company just shy of a million

What can organisations learn from the ICO fine of a water company following a cyber attack and other recent fines

Ransomware attack leads to £98k ICO fine

What lessons can we learn following a ransomware attack which led to the ICO issuing a firm with a substantial fine?

ICO fines software company £3millon after cyber-attack

In a UK first, the ICO has fined a processor for failing to implement appropriate measures under UK GDPR. What can we learn from this case?

Combatting the cyber threat

UK organisations are being warned of a significant and growing cyber threat - what action can small-to-medium sized business take?

Data Breach Guide

Your essential guide to data breaches. Being prepared. How to assess the risk. Making the decision to report or not...
Data Protection Network