alt Hacker NewsInstructure pays ransom to Canvas hackers
Comments
on one hand, every ransom paid encourages like-minded individuals to start or ramp up their ransomware game , which is not great.
on the other hand, the ransomware groups that want to stay in business need to be honest (with respect to not releasing/deleting data) or they wont be 'credible' ransomware operators, which is kind of funny to think about. and in many cases, the victims would rather the ransomware operator be paid (so their data is not leaked) vs. having their data leaked. so paying is the best for current victims (but increases the potential for future victims).
the dynamics/economics around ransomware is fascinating.
LOL that's some super heavy duty optics framing on what basically amounts to "we paid out a ransom but don't worry the bad guys assured us things were okay"
> We received digital confirmation of data destruction (shred logs).
This is shockingly naive
A good infotech public service project would be to maintain a public list of organizations that have succumbed to ransom demands, so that we can choose to take our business elsewhere. It would also be an act of bravery though in the face of potential liability for libel. I doubt disclaimers would evade much of that.
I suspected as much as it disappeared from the ShinnyHunters page and it recovered so fast. The main thing I'm interested in knowing was how much was paid. Also I don't really like their statement that the data is safe or destroyed, those promises seem a little questionable with regards to these incidents.
>The data was returned to us.
It was my understanding that the data was copied[1]. You wouldn't "return" data unless it was encrypted or the originals were deleted. I am confused on this phrasing but maybe it is standard idk.
This is bullish on Monero[2]. The January pump may have been from a hack as well[3].
Here is Shinyhunters website. Canvas was listed on it[4] and then removed[5].
[1] https://www.youtube.com/watch?v=IeTybKL1pM4
[2] https://search.brave.com/search?q=monero+price&rh_type=cc&ra...
Being that this is HN, do we know how they got hacked? Can we learn something about protecting our services?
How does things like this work in terms of bookkeeping? How do they label the expense? Can a company send huge amounts of money to an unknown crypto account without needing to explain anything to the tax authorities?
I would love to know the amount of ransoms paid by large companies who've been compromised without the public being informed. How much that undisclosed amount impacts inflation and the economy today is not talked about nearly enough, imo.
> Has law enforcement been engaged? Yes. We've notified law enforcement, including the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and international law enforcement partners.
Hmm. I thought all these agencies say NOT to pay a ransom.
I'm curious about the open source competition (https://github.com/moodle/moodle is my first find, there are likely others) and what they could've made happen with that money if they had received it instead as an investment re: not worrying about future ransomware attacks.
I wonder if, longer term, we're better off if a company like this were in some way destroyed as a result of getting hacked and paying a bribe.
I think the stakes for getting hacked are far too low, especially at higher levels of management/executive where it's this abstract thing that has concrete time/resource costs.
How is Instructure getting away with paying off the ransomware hackers? Is that still legal in Utah or something?
What on earth does "returned the hacked personal data" mean?
I've seen half a dozen comments in this thread suggesting that paying hacking ransoms should be illegal, but I strongly disagree, for multiple reasons. I'll just make this a top-level comment rather than picking one to reply to.
(1a) Multiple have suggested that the US made it illegal to pay kidnapping ransoms. This is a misconception. The US adopted a policy that the government itself would not pay ransoms, but explicitly noted this did not apply to the victims. "The U.S. Department of Justice does not intend to add to families’ pain in such cases by suggesting that they could face criminal prosecution."
(1b) Despite this policy, the US pays ransoms anyways. Usually in the form of prisoner swaps, but in 2023 it released $6 billion in frozen Iranian funds in exchange for the release of 5 hostages[1].
(2) The belief that paying ransoms should be illegal is predicated on the belief that criminals will be less likely to commit the crime if there is no money to be made. This may be true for kidnapping, but that does not mean it would be true for hacking. Kidnapping is a high-stakes, high-commitment crime that requires physical presence and exposes the criminal to significant danger. If the criminal anticipates no reward, the risk-reward calculus skews them away from kidnapping. However, hacking is a low-risk crime. Even if the chance of reward is low, the risk is also low, so hackers are unlikely to be deterred from hacking. Many hackers will do it just for fun or to prove that they can. Moreover, hackers can profit in other ways, for example by selling the data on the black market, or by making use of the data themselves as a nation-state or corporate espionage actor. Hacking will undoubtedly continue as long as things can be hacked, regardless of whether ransoms are ilegal.
(3) Making ransoms illegal pushes the burden onto people who have no real ability to do anything about it. When a company fails to pay ransom, it is the customers who suffer. It does not materially affect the company in any way to have customer data leaked. The market has already shown, overwhelmingly, that it will not punish companies that leak user data. That a company pays a ransom to begin with indicates that they don't actually understand the market and/or have some small shred of a conscience. Rather than making it illegal to pay ransoms, I would rather see penalties for having a data breach in the first place, but once a data breach is assured, companies should be paying ransoms to try to mitigate the damage to their customers.
(4) The idea of trying to solve hacking by making it illegal to pay ransoms is ridiculous on its face. As long as systems are insecure, hackers will exist, so the legal emphasis should be on consequences for data security. The collection of PII that is not essential to providing a service to customers should be discouraged, and there should be real consequences for negligent security. There should be an investigative board similar to those for airline crashes and infrastructure collapse, which examines the circumstances in depth and identifies whether the company is at fault for negligent handling of PII.
[1]https://2021-2025.state.gov/briefings/department-press-brief...
There shouldn't have been a need to give into hackers, even highly successful hackers. If they're not doing air-gapped backups weekly, that's malpractice and hints at a substandard architecture and/or operations. On a short enough full backup schedule all of Canvas's customers should've been able to recover based on their own copies of assignments and test results. And a policy like that should've been in the SLAs.
In an education environment, there shouldn't be a need to trust software like Canvas for anything mission critical. In fact, if there's anything mission critical in a system like canvas it's an artificial need.
IOW Canvas had to have made themselves vulnerable to a ransom demand in the way that they designed their own product.
Michael Jackson paid the ransom and look what happened to him.
Given they were hacked multiple times, couldn’t they just be targeted again by the same or different group? Why would it stop here?
Got to scroll down to see the update.
(https://www.instructure.com/incident_update#:~:text=STATUS%2...)
It would be amusing to discover it turned out that the hackers were 14 year old teenagers, bored with school.
[flagged]
[flagged]
Years ago I attended a conference that had a "fireside chat" with a DoJ official on the topic of these types of ransom payments.
He framed the issue as being similar to kidnapping ransoms: When an American is taken hostage each family is inclined to make payment but it fosters an industry around kidnapping Americans. Congress put a stop to it by making it illegal to pay the kidnappers. The industry shifted by ceasing the non-profitable American kidnapping and instead began targeting Europeans.
His proposal was to begin warning cybersecurity consultants and insurers who were often brought into these situations that payments to sanctioned countries were already likely illegal and could face scrutiny. The first people to suffer this might be burned, but eventually he believed the industry would move on and stop targeting US firms.
Not sure if anything ever came of his plans, but I always thought it was an interesting framing of the issue.