What a bunch of idiots... Canvas
Posted by xendr0me@reddit | sysadmin | View on Reddit | 300 comments
https://www.reddit.com/r/canvas/comments/1taj9mk/instructure_just_confirmed_they_paid_the_ransom/
"We received assurances that it will not be further shared on the dark web or elsewhere, and we received proof that any copies of that data were deleted. Further, we have been informed that no Instructure customers will be extorted as a result of this incident"
Obviously they have no business running a large technology based infrastructure. Inability to secure said infrastructure, then they honestly believe what they just said above. They'll be hit again in the next 6 to 12 months, bookmark this post.
Just-a-dad-o@reddit
This was roughly the same line we heard from last year's major ed-tech breach. It sure is embarrassing to hear them talk like this, but it seems the job of a CEO or CISO is to play dumb when it suits them.
This is part of the security theatre. It's more important for the company to produce easily digestible press releases than it is to produce coherent secops policy. They'll do some visible shuffling around of resources and as always, whether their tech is actually improved will depend on the determination of underlings more than the drivel spouted from chief-gobs.
ClitToucher@reddit
It is in ShinyHunter’s best interest to not leak the data.
Because with their skills, they definitely will try again to attack another company. Think about it in their perspective.
If you leak the data, no one will bother paying you the ransom ever again when you compromise their data. They have nothing to gain and everything to lose by leaking it
Patchewski@reddit
Also given that this is the 3rd time the same domain has been compromised in a short duration. You’d think they had ample opportunity to get their collective shit together
GreatRyujin@reddit
How does that work?
Have they received a screen recording of someone deleting a folder named "your stuff" followed by an empty trash bin?
FloiDW@reddit
Thoses Hacker groups live from their reputation. As crazy as it sounds, they have help desks and support guys working for them. If they start sharing and selling your data and that gets public, the next ones won’t pay for not sharing their data leading to a Financial loss. It’s just its own business as crazy as it sounds.
Ok-Secretary455@reddit
I read one article about a 90 yr old Lady that got scammed. But the scammers were so good they were able to get this lady to open a crypto wallet and fund it and transfer them money. I can't explain reddit to my grandma and they got this lady on the blockchain.
isvein@reddit
Happens more often than you think.
Just watch Kitboga, ScammersPayback, JimBrowning
cookpedalbrew@reddit
Thank you I came here to say that people don’t understand these aren’t hackers they are professional extortionists which their own ethics and as you said their reputation is everything.
1z1z2x2x3c3c4v4v@reddit
This is the point. Its a business to them. They want the ransom money. To do that, they must hold up their end of the deal.
I have heard, through back channels, that the most successful and sophisticated hacker groups will eliminate other groups that don't play by the same rules. They want the money. It's a VERY lucrative business.
Proper-Charity-2850@reddit
Dragonforce moment
statikuz@reddit
That's the organized part of organized crime.
FarmboyJustice@reddit
They actually have conferences, where people attend and share tips and give presentations. They have door prizes and the whole works.
Red_Pretense_1989@reddit
There are only like 4 major players, and they've been around for a while. It sounds like your talking about the RaaS kiddies.
swarmy1@reddit
Yep, if the data gets leaked regardless, why would anyone pay the ransom. A random anonymous hacker may not care, but a well-known entity like ShinyHunters has a major incentive to adhere to their word.
Generico300@reddit
Well you see, the CEO just lies and hopes you're a gullible idiot.
ChesterM54@reddit
I dealt with the Powerschool breach. It was literally a video of the attackers that showed them right clicking the 'files' and selecting 'delete'.
It's just as absurd as you think. Everyone with a brain thought - "well, that doesn't really prove anything" but the lawyers were all like "yup that works for us!"
Igot1forya@reddit
Then 5 minutes later - "restore snapshot" on the storage array. It's so absurd that ANYONE would accept a video of a file being deleted, like some kind of schoolyard pinkyswear.
WifiIsBestPhy@reddit
and that's assuming they didn't just copy and paste it five seconds before they took the video
EverNeko200@reddit
ShinyHunters are financially motivated to delete your files. If they didn't, nobody would pay the ransom.
Of course, there's no guarantee one of their members won't walk off with the data to use as leverage, but there's also no guarantee that I (as an employee of a company) won't walk off with a database to use against the company either.
L-xtreme@reddit
There can't be any trust. They are criminals.
kirashi3@reddit
Sure, but that doesn't prevent the data from magically showing up for sale on the darkweb in 5 years under the hacking group name of DullRockers. Once data has left your control, assume it's compromised and act accordingly. I hope every student affected by this come together to rake Instructure over the coals for compromising their Personally Identifiable Information, but... I'm not holding my breath.
wrosecrans@reddit
They are financially motivated to make it appear that paying them is worthwhile. That doesn't immediately mean it's their best or only move to actually delete it. They may not just dump everything at once, but there could be information in the hack that could be used for blackmail, compromising other targets, or selling, without the original target ever knowing. If China wants to buy some of your confidential industrial data that got "deleted", you won't know.
Red_Pretense_1989@reddit
No honor among thieves. Fuck that shit.
Uncommented-Code@reddit
That assumes the group keeps operating under their current name and reputation.
Once they dissolve, nothing stops them from going back and extorting you a second and third time, even one or two years later. Eventually that incentive will be gone.
Sk1rm1sh@reddit
You could probably still argue the same thing even then.
If people are paying the ransom and their data is dumped anyway, the next target is going to think twice about paying the ransom in the first place.
drkhead@reddit
There’s a reason that terrorists can’t hijack planes for ransom anymore. You get to shoot your shot once sometimes and thats it b
RabidTaquito@reddit
They're not financially motivated to delete the files. Only to demonstrate deleting the files. I guarantee you the files are on a disk somewhere. For that "just in case" moment.
WifiIsBestPhy@reddit
no, ShinyHunters are financially motivated to make a nice song and dance about deleting the files. They are also motivated to make sure that data is never traced back to them.
But they do not actually have an incentive to delete the files. There's probably a trove of username/password combos in there, and all sorts of personally identifying information. They just need to make sure that whatever they do with that is not easily traced back to them.
Sea-Aardvark-756@reddit
Canvas is financially motivated to keep their systems secure. If they didn't, nobody would pay for the product.
Speeddymon@reddit
You missed it.
dougmc@reddit
Well, the reality is that any sort of actual proof is absolutely impossible to provide.
But the statement itself is carefully worded -- it's "we received proof that all copies were deleted", not "all copies were deleted", it's "We received assurances that it will not be further shared" instead of "it will not be further shared".
This is a statement designed to make their customers feel better, but to not give anybody's lawyers additional ammo to sue Canvas with.
Unfortunately, by paying they've put a much bigger target on their back, and they've given the group they paid a huge incentive to lie about deleting the data and to instead start pretending to be another group who also hacked Canvas and now they want to be paid ...
It's a risky game. I hope it works out for them.
Igot1forya@reddit
My policy is DO NOT FUND TERRORISM. Period. Any company paying the ransom should be shut down. The customers will see nothing from this. We never do. Yet they keep their jobs and fund the next victim to be attacked and it probably will happen again. It only incentiveses the next criminal org as it's a clear profit center. There really should be laws against this.
If you get hacked, it's over. Your done. Deal with the loss. Paying mind as well be an inside insurance scam.
rvf@reddit
Hey, if it's good enough for auditors to see a screenshot with the infallible time stamping device of the windows clock, it's good enough for me!
pdp10@reddit
If you're not impressed by the force of willful belief displayed there, then never get into law, government, or economics.
jameson71@reddit
All those things run on proof. It’s only private business that runs on feels.
EquipLordBritish@reddit
I mean, there literally isn't a reasonable way to prove that something was deleted.
DL72-Alpha@reddit
Lawyers, and by extension insurance companies, operate on a rule of optics and visibility, not anything real. The fact that lawyers get paid for their 'service' is the real crime.
FastHotEmu@reddit
I dealt with corporate lawyers during difficult situations, and none of them would have accepted that. I dare say you had really terrible lawyers assisting you.
minitittertotdish@reddit
That's not at all what the lawyers say in ransomware cases like this. They are almost certainly data privacy attorneys that deal in DFIR all the time. Everyone understands that the "assurance" of data deletion is bullshit, we all understand and counsel that they almost certainly retain a copy of the data, even if they provide "proof". It also doesn't matter if they "delete" it or not for legal notifications, the act of viewing or taking the data depending on the jurisdiction means you have to notify.
ChesterM54@reddit
I can assure you that's what they said.
minitittertotdish@reddit
And what is your experience dealing with ransomware negotiations? Or is it just what you've picked up from r/sysadmin and r/ufo ?
ChesterM54@reddit
I have extensive experience. Stop being a contrarian for the sake of it. Nobody is buying it.
DFLDrew@reddit
That’s how law works. They solemnly swore. You wouldn’t expect a criminal to perjure themselves, would you?
ZeeroMX@reddit
Are those really lawyers?
airmantharp@reddit
Ah, compliance. How I missed thee.
entropic@reddit
We're all definitely in big trouble if we're reliant on lawyers to understand technology.
CollegeFootballGood@reddit
There’s no way
UnluckyPenguin@reddit
The year is 2100. All data is stored on a central quantum mainframe. The last independent data storage device was manufactured 50 years ago.
They told us the deletion was "provable"... a semantic contract signed in entangled qubits that altered the waveform of every shard referencing the file. For a moment I wanted to ask whether proof could be faked, but the mainframe's board of AI agents answered with unanimous certainty that made the hairs on my arms stand upright. Outside, the city carried on under laminated skies, unaware that a memory had been smoothed from existence. Inside, I found myself searching my own mind for ghosts the quantum law might have missed.
kirashi3@reddit
See, this is what happens when you let the Skyhook people build their mainframes using SANS ICS HyperEncabulator hardware without the rotational dingle arm deconstruction rotator stasis array.
Same_Recipe2729@reddit
The technical aspect of it doesn't matter, they didn't say it to convince you or any technical person. They said it to calm down tens of millions of angry parents and hundreds of millions of people who had their data stolen that don't know any better and might be less inclined to sue instructure or impact their companies value.
spacelama@reddit
Ah that last sentence. I'm so glad hackers haven't heard of snapshots and VM storage.
TheOnly_Anti@reddit
But now that they've been paid, they have a reputation to uphold. You're never getting random again if everyone knows you're full of shit.
So even if they still have it, eh, no they don't.
DiseaseDeathDecay@reddit
Err, "shred logs" is a new one for me. WTF kind of log proves that the data wasn't copied prior to the deletion?
planeturban@reddit
This reminds me of when I had to deal with Microfocus and their god dammed license server for one of their products. The problem with it (apart from requiring a company to run a license server in 2016) was it didn't work well with virtual machines since it did some kind of fingerprinting of the hardware when starting, and that did not play nice when the order of interfaces and stuff would be detected in different order. (at least I think was the problem)
Anyways, the 1st line tech had me show proof of me deleting the file that held the license key. It didn't matter that I said I had, I had to send them the proof in the form of which commands I've ran. And it had to be EXACTLY as they said. So me going
# > license.txt # cat license.txt #
wasn't enough. I had to do rm license.txt; ls -la license.txt
Nevermind I had to include my license key in the case, which then sent me a copy of my case. Which included the license key. And was copied in every mail reply. So there were about 8 copies of the license string in my mail.
yankeesfan01x@reddit
Microfocus, ick.
PM__YOUR_DMCA_CLAIMS@reddit
Recovery consultant for a firm here.
Yes that’s exactly what usually happens.
effedup@reddit
Yeah, I think they provided the logs too.
Yake404@reddit
Yup this needs to be higher.
Cley_Faye@reddit
Have you people never heard of the "pinky swear" tactic?
tamtamdanseren@reddit
I works in the sense that if this data leaks, said group will never receive money again.
GreatRyujin@reddit
And what's stopping the group from changing names?
It's not like they have to build a reputation before they can start extorting again.
dunepilot11@reddit
This is exactly what happens. These groups disband and recombine every year or two. The reputation part on their side is pretty short-term
wookiee42@reddit
Changing names just means the company might lean toward not paying.
_litz@reddit
I dunno ... I mean, we offer certificates of data destruction. But then again, we're a legitimate MSP with service contracts and all sorts of proper corporate stuff.
I can't even imagine how, from a compliance standpoint, one can actually make this claim legally, with a literal dark-web hacking group offering "assurances".
The lawyers are going to have oh-so-much fun picking this to pieces.
RangerNS@reddit
That isn't "proof" it is "assurance".
Given by a legitimate businesses with enough money worth suing, and enough reputation worth losing, and within a society of laws, then this is probably enough for most commercial purposes.
_litz@reddit
For a commercial company offering a Certificate of Destruction, that means the company is guaranteeing to the recipient the data is destroyed. Not erased, destroyed. Usually by feeding the medium into a shredder.
That guarantee is backed by both the company and its insurance provider, if the data should in fact be found not destroyed and gets compromised in some way.
It's ... not likely that "ShinyHunters" has ... well ... anything that can back up their claim of destruction that's more valuable than, say, a pinky swear.
The fact that Instructure is going out, publicly, and stating that they have a guarantee this data has been destroyed is baffling, and quite honestly, not worth the paper they printed the press release on. They have absolutely no legal backing of this claim. Like I said above, the lawyers are going to have fun with this. And make a LOT of money.
cptjpk@reddit
The guarantee would likely be backed up by external audits as well in case it was questioned.
_litz@reddit
Yes.
NoPossibility4178@reddit
You're selling your brand, the service is secondary because anyone could do it. For hacking it's the same. You say you deleted but didn't? No one is paying your ransom ever again.
Speeddymon@reddit
An I missing something?
Does shinyhunters only go after US targets? Do you think CEOs and others in other parts of the world have heard about this beyond "some US education company was hacked"?
This news isn't big enough on the world stage to prevent others from paying if they haven't heard of this event. Sorry.
NoPossibility4178@reddit
Do you think other countries can't read English? Or even if it was the other way that American companies can't read what's going on in the world?
I'm not part of the group so you don't need to apologize to me lmao, but this is literally how it works and it's literally how it just worked for this group.
Speeddymon@reddit
No I don't think people from other countries can't read English. I was even thinking about places like Australia. A CEO for some company over there for example maybe hasn't heard about it as of yet and would still pay.
But I'm not sure I follow you when you say it's how it just worked for this group. If shinyhunters actually distributed the data after they gave the assurance that it was deleted even though the "evidence" is just a video, the group could still go on to ransom that example Australian company and get a payout as of now because there is nothing to say they have broken their word as of yet.
When they do break their word (and I'm sure it'll come out that they have eventually) then yeah I agree nobody anywhere would pay anymore, but until then the business and insurance world have to treat it the way they treat anything, by taking people at their word and suing them into oblivion when they prove to be a liar.
CurrentlyWorkingAMA@reddit
There is almost no way to prove it, legitimately or not. Unless you know every layer on the filesystem and hardware. Almost every layer could snapshot and be restored.
wrincewind@reddit
hell, with OCR, you could set up a system with a camera and screen and set it to scroll down, take a photo, scroll down, take a photo... churn it all into text at the end, validate the hash to ensure it was all copied correctly... it'd be slow and tedious but also undetectable.
WhatThePuck9@reddit
moldyjellybean@reddit
Pretty sure private equity KKR bought canvas lms , so they ruined that, backing datacenters that ruin cities and probably ruining everything that private equity touches.
Now that they know KKR private equity will pay its going open the flood gates on everything KKR owns. Where’s the popcorn lol
DaftPump@reddit
This was akin to Powerschool a year back. Same story, different clown show.
North-Creative@reddit
Someone was rubbing the file with a physical eraser on screen. That'll show them
xendr0me@reddit (OP)
I mean this should be legit enough right.
theEvilQuesadilla@reddit
I hate with every fiber of my being that this is LLM slop
xendr0me@reddit (OP)
Every once in awhile you can get a gem out of it :)
Ay0_King@reddit
🤣🤣🤣
ansibleloop@reddit
This is going on my wall
greenstarthree@reddit
Finally something I approve the use of AI for
retro_grave@reddit
It's clear as purple crayon!
https://youtu.be/7wqF2MRN8v4?t=198
brickponbrick@reddit
This made my day. This is so fucking good.
creamersrealm@reddit
ABSOLUTE GOLD!
GreatRyujin@reddit
As for me, yes, I would trust this certificate!
The tiny heart makes all the difference!
fearless-fossa@reddit
There is no stamp on it, it's fake.
Superb_Raccoon@reddit
Pinky swear.
Expensive_Plant_9530@reddit
It’s actually ironic because we recently attended a cybersecurity conference in which they laid out how there was a hierarchy of “reliability” among the cyber criminals to honour their word not to further extort you.
Some of them are considered quite reliable in this manner, as breaking their word will result in “less business” in the future from future victims.
Is that completely messed up? Yeah. But it’s a wild world we live in.
Generico300@reddit
I mean, that's organized crime. If you paid the mob for "protection", they didn't burn your shop down. If they did it anyway, nobody would keep paying.
VeryRealHuman23@reddit
have heard similar...and I wonder if we were at the same conference.
To these assholes, it really is just business and they operate the same way. If the perception is gone that they wont delete/fix/unbreak after you pay, then their business collapses.
Expensive_Plant_9530@reddit
Yeah - for me? I’d rather rely on good backups and just burn the system down and reload from backups than pay a ransomware a single penny. But that’s just me, and that’s also assuming my backups don’t get nuked.
But I can see why some companies just pay.
wazza_the_rockdog@reddit
That's why the ransomware actors changed from just encrypting data to exfiltrating it too - you may be able to restore from a backup, but if the data being leaked will cause financial damage it can still make sense to pay. May also help you to avoid other payouts/legal action etc.
baegjag@reddit
they already restored everything, they payed them to not release confidential data
heartbooks26@reddit
Yes exactly; it’s not that Instructure needed ShinyHunters to restore systems or data at all; they paid them not to release potentially FERPA protected data that had been stolen (e.g., course enrollments, messages between instructor and students, etc).
gravityVT@reddit
Most Fortune 500 companies and large enterprises carry some form of cyber liability insurance, and ransomware/extortion coverage is typically a core component
Nu-Hir@reddit
And those backups are just as vulnerable as your previous system was. Unless you've identified the intrusion point and have a fix before the backups go online, you're back where you started. If you pay the ransom and get your systems back, you can at least compare your backups to the restored data to see what changed and figure out what the entry point was and fix it.
I'm a firm believer of not paying ransoms, but sometimes it is better to do than not to do, especially if you don't know how they got into your system in the first place. If no one paid the ransoms then there wouldn't be a point other than the love of the game, and that doesn't pay bills.
1z1z2x2x3c3c4v4v@reddit
Why? Its a business decision. Its all about the money.
Are you also a firm believer in not giving large bonuses to the CEO? Or paying for large insurance policies? Companies spend money to make money. It's what they do.
statikuz@reddit
Those things don't have anything to with each other.
Not paying the ransom (big capital bold IF you have other options) is the correct method. Otherwise you are encouraging bad behavior and supporting the ~~business~~ crime.
Of course, the "don't negotiate with terrorists" stance is great until it's not. If you have no backups and the options are a) pay the ransom or b) go out of business then you don't really have a decision. And there will always be targets that are susceptible to ransom demands, we just want to make those increasingly scarce.
monstaface@reddit
Every cyber security conference says this. They all repeat the same findings.
Bluetooth_Sandwich@reddit
same generic scripts pushed out every year. DEFCON is probably the only security focused con worth your time, the rest is slop.
DaftPump@reddit
Some crazy digital 'protection racket' like shit.
Expensive_Plant_9530@reddit
Basically yeah. It’s modern day digital racketeering.
NoPossibility4178@reddit
It's like paying "protection" money to your local government... What's stopping them from taking your things by force?
Expensive_Plant_9530@reddit
Reputation, is about the only thing.
Same thing with mafia extortion protection schemes. You trust that they won’t mess you up anyway because if people lose trust in their “protection”, then why pay at all?
Obviously many cyber criminals are not trustworthy in the slightest, just like many gangs and other criminal orgs. But some are.
flecom@reddit
and yet somehow still more ethical than oracle
NoPossibility4178@reddit
These guys have every incentive to be truthful, Oracle is basically the other way around.
Expensive_Plant_9530@reddit
I’ll take your word on that.
ConfigConfuse@reddit
Make it illegal to pay ransomware. Public institutions first.
ImaginaryBagels@reddit
This would only exacerbate the problem. Paying is already the last resort, so people would still pay, but now they'd have extra incentive to keep quiet about it too
VS-Trend@reddit
this is why you don't negotiate with terrorists.
pdp10@reddit
That's a dangerous assumption to make.
sir_mrej@reddit
False. Almost all businesses of certain sizes require cybersecurity insurance. Insurance will NOT pay unless other avenues are tried first. And a lot of the time, you cant get insured again or insurance costs a hell of a lot more if you pay once.
Audience-Electrical@reddit
No it wouldn't but I see your point.
If it's illegal to pay ransom, being a group that exists solely to profit off that can't any longer.
It's illegal for me to steal your things and ransom them to you, or to break into your home and sell my access back to you -- why should we pretend infrastructure is any different?
8BFF4fpThY@reddit
Put the people who pay terrorists in jail.
SirLoremIpsum@reddit
They just won't tell anyone ever.
Exposure is better for public.
SwedeLostInCanada@reddit
Relevant information https://www.congress.gov/crs-product/R46932#_Toc84418873
TLDR: illegal to pay sanctioned organizations/countries/individuals, not illegal to pay other criminal orgs. No precedent of prosecuting people paying ransoms for ”return of their loved ones” (I guess they apply this to ransomwared orgs too). FBI does not support a ban for paying ransoms
CHRDT01@reddit
Elaborating on that last point, FTA:
itskdog@reddit
The RPA "alternative-to-insurance" available to UK schools does have that as a provision, that they won't pay out for ransoms.
RedditDon3@reddit
So they destroyed the copy of a copy of a copy of the data?
Titan_91@reddit
"Squidward that wasn't the peace treaty, that was a copy of the peace treaty."
ahahum@reddit
3 passes with DBAN
MyPackage@reddit
Copy of a Copy of a Copy of a
matroosoft@reddit
Yeah but the folder wasn't labeled copy
xendr0me@reddit (OP)
I mean they pinky promised, what more do you want.
Nu-Hir@reddit
Their reputation actually necessitates them actually doing it. If word gets out they don't keep their word, lawyers and the FBI will tell people to not pay. If they want paid, they need to keep their word. Otherwise, they're just doing it for love of the game.
AlexisFR@reddit
To be fair, most hackers are honorable like that, they just do that to fund their anarchist lifestyle!
sobrique@reddit
There is a perverse sort of honesty to this sort of thing, but mostly around how it helps getting paid if there's less reason to doubt it's a waste of money...
RedditDon3@reddit
Did they raise their hand and swear to G as well?
xendr0me@reddit (OP)
As long as it was Warren G, then it counts.
RedditDon3@reddit
Regulate that!
Hebrewhammer8d8@reddit
Mount Up.
SenTedStevens@reddit
Sweet! So they didn't get my NEWESTNEWSuperImportantCollegePaperEDITED.docx.
Nekrokosmic@reddit
Black hat groups that target large companies usually wont release the data if the ransom is paid. But you’d be really ignorant to believe they truly destroyed their only copy of it.
L-xtreme@reddit
Unbelievable that in 2028 data is sold from this hack! No one expected that! Seems like criminals are not to be trusted? Unbelievable!
LameITDude@reddit
The decision to pay is usually the result of lawyers and cyber insurance companies, not the the tech teams. The details of the initial access method they exploited with the teacher accounts hasn't been fully released either, so we don't know if this was negligence. I sincerely hope you do not have to experience going through this. I feel your frustration is better suited targeting lawmakers and against groups like Shiny Hunters themselves.
SifferBTW@reddit
I work K12 at an institution that uses canvas. They have actually been very transparent about the whole thing. They didn't divulge the exact attack chain (likely due to legal reasons), but they told us the vector and what they did to remediate it.
They are still somewhat negligent, though. They basically admitted they didn't have edr/mdr prior to the second breach. One of the reassurances they gave us was that they were "now leveraging crowd strike"
NullTermination14@reddit
XSS in the support portal, support agent triggered payload then they issued tokens for the internal APIs, they were doing XSS sanitation at a per endpoint level with basic filters and had no JIT or data segmentation, or approval process for accessing customer data for the support staff. So yeah kind of negligent.
yankeesfan01x@reddit
Interesting. I'm assuming the Canvas support portal had a public facing form you could fill out so the TA included the link in that which the support agent clicked on in the ticket?
heartbooks26@reddit
They have platform call Canvas Free for Teachers that dates quite a ways back to when many schools didn’t have an LMS (especially K-12) and they wanted to offer a platform to teachers. Pretty much anyone can make courses there. The TA made a course in that environment, then put code in a certain type of element/module within the Canvas course. Then they opened a support ticket with Instructure because they were having an “issue” in the course that they were a Teacher of. Then the support person accessed the thing within the Canvas course and then technical stuff above my head happened (cross site scripting? Stealing session data from support person to get site admin token? Idk). From there they were able to get into an Instructure web portal that normal clients (institutions, etc) *don’t* use, and that let them extract data (users names, emails, institutional IDs in some cases, messages in some cases, possibly course/enrollment data but they are still confirming that).
They paid for the data not to be released; there was supposedly no loss of content/control and no theft of credentials for integrated technologies in individual instances.
LameITDude@reddit
From what I'm reading this was a followup to the initial ransom and was used to deface portals and apply pressure to get Instructure to pay. My main point is everyone is pretty quick to victim blame for having missed some vulnerability somewhere. Insurance companies keep this cycle alive and well, and until the federal government says it's a crime to pay we will keep seeing this.
NullTermination14@reddit
Second attack was also XSS used the templates feature to push custom CSS and didn’t access any data.
Agree on all your points though.
old_skul@reddit
My local school district just switched from Powerschool to Canvas.
Powerschool is the one the got ransomwared last year.
SifferBTW@reddit
Powerschool is a student information service and canvas is an LMS. They are two completely different products. Switching between them makes no sense
Nemesis651@reddit
So I was talking to another security rep about this, this morning. This is the 2nd hack/breech of an education company in under a year. Both paid to have data "deleted". All this is showing is that hack an education data company, get easy money.
Considering for this breech, they got compromised twice, I wouldnt be surprised if the same group still has an access route there, and sells it and takes a cut when the company pays out again.
SifferBTW@reddit
I work in K12. ~75% of school districts within 100 miles of mine has been ransomed. Education and education affiliated companies have been a prime target for many years now due to the amount of sensitive data we have, just like healthcare. You're only hearing about it now because of the visibility and transparency of power school and instructure.
Unfortunately we are just an easy target and everyone knows it. We have an abundance of data and tiny budgets. I'm the only cyber position in my district of 20k staff and students. The vast majority of districts in my state have 0 cyber staff. We can't afford shit like mdr or 24/7 soc either.
SifferBTW@reddit
They paid quick. I work k12 and last week shinyhunters posted every institution they had data on and the post was gone by Friday morning.
It's common. Bad actor says they have a bunch of your data and ask for ransom. Victim calls their bluff and refuses to pay. Bad actor shows "proof of life." Victim pays. Bad actor takes down proof.
Shinyhunters is a professional cybercrime org. If they leaked data after ransom is paid, it would deter future victims from paying. You're only seeing this example because of how much exposure this got and how transparent instructure is being.
Reelix@reddit
Remember back in the days where the US WOULDN'T openly pay terrorist groups?
:/
tindifferent@reddit
Doubt, if so then future ransoms will never be paid.
Ransomware groups need their victims to believe that paying ransoms work. If you pay the mafia and your shophouse still burns down, no one is gonna pay.
If anything teamPCP now needs to make sure no one else compromises instructure.
But yeah, they are a bunch of idiots
Short-Legs-Long-Neck@reddit
Any user of this system knows, it will be under constant attack, since the attackers get paid here.
FounderShift@reddit
Paying the ransom was bad enough. But the press release is the real embarrassment: "we received assurances." From who? The criminals? That's not assurance, that's wishful thinking with a receipt. The data is already copied, sold, or sitting on three servers they forgot to mention. The 6-12 month prediction is generous.
FourEyesAndThighs@reddit
They didn't pay the ransom, their cybersinsurance did.
SirLoremIpsum@reddit
To be faaaiir...
Ransomware people need some measure of credibility otherwise jo one will ever pay.
Their goal is to get you to pay and if you pay and your data is still encrypted or leaked - no one will ever pay that org again.
I'd you get hit and don't rebuild everything from scratch and in a secure way that's on you.
I don't think it's absurd when you note the scammer has a financial motive to be honest. It's not just about this hack.
It's about the next 10.
Ransomware it was a little more clean "oh you got the crpytolocker v4 if you get encrypted don't pay they won't unlock it" vs "hacker group xx who change their name".
You're assuming these hackers are kiddies or just crazy people. They're organised profit making shady networks. Unlocking and respecting data deletion is important from a financial motive.
Sockbabies@reddit
This is true. I was part of a company that suffered a major ransomware. The cyber company we hired and FBI both said that if we paid them, they would do exactly what they promised. If they didn’t deliver, prior victims would speak out and no one would trust them enough to pay
the_marque@reddit
This. People just don't get it.
Canvas made it clear that they, of course, can't know with certainty that the data is gone, but they thought it was worthwhile for users' privacy to pay up anyway.
Criminals may be criminals but their "business" is finished if they are not good on their word.
Canvas had better hope they've beefed up their security big time though because it does make them a prime target for attacks.
Kat-but-SFW@reddit
Also, history has shown it to be true for however many tens of billions of dollars the ransomware industry has made.
nestersan@reddit
Unfortunate accidents have happened to people who didn't return the data by the bigger crews
Charming-Medium4248@reddit
Devils advocate - Shinyhunters actually makes more money (and limits their attack surface by not committing MORE crime) by keeping a deal and deleting the data.
If it happens to another company, they'll look and see that hey, that hacking group actually didn't release the client information after the Canvas breach so they're being honest.
And the companies who offer cyber insurance will start changing their policies because it's payday for the "honest" hackers.
nut-sack@reddit
oh really? which other companies did canvas consult? Its not like this groups cant just rebrand and keep going.
MarubinMgd@reddit
6-12 months seems to be a bit too fast since It could potentially kill their money making scheme. Maybe 5 years or so under a different name
nut-sack@reddit
Yea, i can see the headline now "ReflectiveBallBags have compromised Canvas2 and are demanding ransom."
Great-Cow7256@reddit
How much ransom did they pay?
The-Jesus_Christ@reddit
The thing is - If they do sell the data, then it compromises their ability to get other businesses to pay as they'll go "Well you'll release it if we pay or not" and so just won't.
legrenabeach@reddit
To all those pointing out that hackers have to keep a good reputation by actually deleting data when they get paid their ransom: if they did sell the data on, in a way that doesn't link back to them, how would people know anyway?
The vast majority of people still use the same email address and same password for most accounts, making it impossible to be certain where a leak or ID theft etc came from.
the_marque@reddit
Yes, but it has to be done very carefully to not link back to them. They wouldn't just onsell the data in a big dump tomorrow. The more likely scenario, if anything, is that after the group folds any data they kept as insurance ends up leaking out.
If the public will never know, the victim company doesn't actually care either.
SirLoremIpsum@reddit
Fairly easily correlation.
People have attributed data tk specific hacks all the time. 10 customers data what do they all have in common?
If your hacker group gets a bad rep no one will pay ever. That's the truth. That's a fact. Your group has certain tells, certain tech, certain crypto locking signatures. You don't be honest and you're now hacking for fun than for profit.
grnrngr@reddit
Correlation.
Yes people use the same credentials in a lot of places.
But some people don't.
So if there's a data dump later on that shows a set of credentials with "MyCanvasLogin123," or something similarly made just for Canvas login, then you know where it came from.
legrenabeach@reddit
If they get hacked via credential stuffing it won't be a bespoke password. Also if they get phished or ID-theft'ed due to the knowledge a scammer can extract from that data they most likely won't know where it came from. Most if not all people would be rushing to cancel cards and update credit agencies, not posting online "ShinyHunters are liars, don't trust them again with your ransom money!".
Audience-Electrical@reddit
"We are incompetent and cannot secure our Infrastructure. We have decided to give some of your money to the hackers because of that incompetence. We will not be held responsible for anything, as nearly every American has accepted that companies are more important than people. We will continue to provide an overpriced LMS, and fortunately you have no other options. Thanks!"
the_marque@reddit
There's other options, but really every platform like this just drips of poor security. Even as a regular user, you can just ... tell.
sgt_Berbatov@reddit
This really ought to be pinned on r/ShittySysadmin
xendr0me@reddit (OP)
While I agree for just the exposure, this was a super high level business decision made by folks with way less knowledge about I.T. and higher up on the internal food chain there.
peakdecline@reddit
This isn't a decision for IT to make alone and by and large isn't a decision that's predicated on IT knowledge. This is a business and legal decision with some high level IT consultation.
Does your employer have cyber insurance? Have you not run through these scenarios with your senior leadership, lawyers and cyber insurance company? When you'll pay the bad guys in these situations are, or should be, already decided before you end up in this situation.
clexecute@reddit
Yep, anyone who thinks IT has a seat at the table in this instance for anything other than a scapegoat they are smoking crack.
In my environment if we get wind of a breach our first call is to risk who calls cyber insurance who tells us what to do.
The moment an organization with cyber insurance is owned the #1 priority is to maintain the integrity of that claim, nothing else matters.
Hot-Meat-11@reddit
> decision made by folks with way less knowledge about I.T.
If your company is named "Infrastracture" perhaps your SLT should be made up of people who at least have a clue what that word means.
But, such is life in the time of maximum financialization and shareholder capitalism.
CantaloupeCamper@reddit
No sysadmin made that call…
neminat@reddit
should be shittyexecutives. The Sysadmins had absolutely nothing to do with this decision.
TimePlankton3171@reddit
What is this even all about? It was my understanding that crime is illegal.
bruhgubgub@reddit
You must not watch coffeezilla. Crime is absolutely legal
Kat-but-SFW@reddit
Stop stifling I N N O V A T I O N
AHrubik@reddit
I agree it's absurd but ransomware is an actual business these days run by adults making money rather than some backyard sociology protest run by kids. Their reputation is only as good as their word and if they can't deliver on their side of the agreement people will stop paying them. It's just that simple.
In response to the inevitable. Yes they could also only be interested in short term payouts before just setting the whole thing on fire but such is the world of crime and payouts. There is no trust only reputation.
Fairlife_WholeMilk@reddit
You know this is pretty common? Right?
Trust is one of the biggest MOs for these blackhat groups. If they break that trust by leaking data they promised not to they risk not getting paid by other companies in the future.
xendr0me@reddit (OP)
Yeah I get that they would poison their own well. But what's to stop a member from repeating this under a different group name or the data that was already released from being used for extortion.
Point is this is a lawless trade, so it's not like their promises hold any weight.
Fairlife_WholeMilk@reddit
Again their promise holds the weight of their entire business essentially. If they start breaking those promises absolutely no one is going to pay them.
Today these groups are VERY organized with HR departments and set up like official companies. I have a strong feeling they would go after anyone who was doing something that would harm their company. Such as destroying their trust.
xendr0me@reddit (OP)
They still answer to no one, when it comes to the law. Plus you always have internal strife, with no controls in place should someone get pissed in their circle and go rogue.
DivHunter_@reddit
That's the one. Everyone in the chain has their own copy. Proof of deletion is a fantasy.
Fairlife_WholeMilk@reddit
Yeah that's not how this works. They aren't a rouge organization. Do you have a copy of every data set at your company? Probably not.
I imagine the security for these Blackhat groups is even tighter considering they have government agencies looking for them all the time as well.
DivHunter_@reddit
It's exactly how this works and groups like lockbit have been found to have all the data after ransoms were paid. "Deleted" data has been used to extort down stream victims. Data has shown up in larger data sets after the fact.
It's such a weird thing to assume a criminal organisation extorting companies would act ethically or that it's members would never do something against the org because hackers notoriously stick to corporate policy...
I've previously recovered sites after crypto locks, you restore from the backups and get on with it. Indeed in Australia it's illegal to pay many of these groups so companies have no choice.
xendr0me@reddit (OP)
u/Fairlife_WholeMilk is running PR for them apparently with the comments and downvotes.
axonxorz@reddit
Wow, you comment is literally "see, [other person] someone agrees with me, [character attack]"
Senior sysadmin with this level of pathetic? Checks out.
They engaged with you respectfully, yet here you are.
Indecisive-one@reddit
Fairlife hasn’t said a single thing that wasn’t true. You really seem to not want to hear it though.
Fairlife_WholeMilk@reddit
Funny thing is I haven't downvoted a single comment until now until you made a completely unnecessary remark.
Sorry I've worked with people who have dealt with some of these black hat groups directly and have a little more knowledge I guess?
charleswj@reddit
"someone disagreed with me, they must have an ulterior motive!"
Ummgh23@reddit
On that I agree, insofar as there is no actual proof of deletion. ThereIt is still in their best interest to keep their word if they want to continue making money.
jeremiahfelt@reddit
Have you looked at the shape of the world?
Companies in general don't answer to the law. Especially when it comes to gray areas where tecjnology has far, far outpaced what the law is equipped to manage.
uebersoldat@reddit
Bright-eyed and ideological college kids on here man. It's a nice thought.
Indecisive-one@reddit
It’s interesting to watch, knowing I was surely once that kid.
OP really seems to not want to hear the truth, because it does fly in the face of everything you grew up believing in law and justice.
Ummgh23@reddit
The risk is the same as an employee in your own company or a partner company going rogue. As the other commenter said, these hacker groups are set up like companies and act like it, even if their business is illegal.
uebersoldat@reddit
They are making a lot of money. I would imagine it's not some kind of meth house with a bunch of back-stabbers. These guys probably walk down the street in a suit and tie in their 20's and you'd never know it.
the_lonely_potato@reddit
You're fundamentally misunderstanding something criminal networks and black economies fundamentally operate on trust it is the only currency. Think about it there is no contract law no higher authority etc. if reputation goes business is gone.
Indecisive-one@reddit
Law and reputation are very different in this world.
Fairlife_WholeMilk@reddit
Bingo
draconic86@reddit
They answer to their "customers" as much as any other business, at the end of the day.
Muggsy423@reddit
Spoiler alert: this exact scenario played out already when powerschool was hacked. Random groups threatened to release the same data that was supposedly deleted.
Fairlife_WholeMilk@reddit
You realize this kinda only supports my comments right? PowerSchool was hacked by a 19yr old kid. Not an organization.
The 19yr old kid probably posted the data in forums or group chats bragging about how he did it. Something you would never see from an actual hacker group.
Jhamin1@reddit
What prevented other people from competing with Al Capone's bootlegging? Violence.
Same deal.
ElvisDumbledore@reddit
Works the same for kidnapping.
tmontney@reddit
Doesn't make it any less ridiculous, especially since they were hit twice by the same actor in less than a month. It's all done on faith at this point.
I just want for once a candid response instead of this corpo fluff piece that absolutely no one is buying. Read the room, sheesh. "Hey, we screwed up. Bad. We got hit twice. It's ironic we are paying but it's legitimately the only way. You should never trust us ever again."
Fairlife_WholeMilk@reddit
Yeah because they didn't pay the first time and failed to patch correctly lol. ShinyHunters did EXACTLY what they said they were going to do lol
mitharas@reddit
It's really sad how many people here don't understand this. It's really basic logic, especially for an established group looking further than the next few months.
If this hack would have been by elitehaxors69, nobody would believe them. And no one would pay the ransom.
Library_IT_guy@reddit
There's no way they don't keep a set of the data though, for future sale. Like sure, if I'm a hacker, I'll provide "proof" of it being destroyed and then I will just sit on the copy of the data until many years down the road, when everyone has forgotten about this, and then sell portions of the data off so that it isn't super obvious. That's just common sense. You don't destroy something that could yield profit down the line.
colinzack@reddit
“You don’t destroy something that could yield profit down the line.” You mean like their reputation?
Library_IT_guy@reddit
What reputation? Dude they are criminals. They have no reputation. There's no way you could ever convince based on "Just trust me bro" that they would keep their word.
colinzack@reddit
Everyone and everything has a reputation whether it’s positive or not. The minute people know that this group leaks information, they’re never getting paid again. The cyber insurance team has a massive list of all of these groups and their reputation, trust me.
Why do you think they give themselves a name in the first place? It’s to build up a reputation.
Jaereth@reddit
I think this is the exact MO.
We got some notification once that several of our Email accounts were being sold on "The Dark Web" ™
It was all accounts that the owners had left the org before I even started. 10+ years ago. Not a single one of those users still existed in AD. Some "leak" that was...
SirLoremIpsum@reddit
All the clowns here treat this as a script kiddie or a random crazy dude.
And not the smart, business minded hackers that treat this as a profit enterprise.
NoPossibility4178@reddit
A lot of people don't see it that way due to the whole "don't negotiate with terrorists." The key difference is that terrorists aren't running a business.
angrydeuce@reddit
Ive heard rumors that there have been cases where they've actually provided IT support to fix the shit they themselves fucked up since ransom was paid.
Granted, theyre still scum sucking bastards of the highest order, but like you said, if they just turned around and fucked people over with the ransom paid then they would never get a ransom payment again. Thats why this works.
I just hope that the FBI is tracking that ransom.
axonxorz@reddit
I can confirm this firsthand, though not for this group. People go to 9-5 jobs in commercial buildings to provide basically L1 and L2 tech support for victims, it's in their interest that clueless CFO/IT director can pay and recover.
The org I was with got hit by the Ryuk ransomware in 2019, we knew it was Russians at the time, and hindsight confirms that it was Wizard Spider based on how they operate.
They purchased credentials that were compromised in another attack and used that to chain to an internet-accessible RDP to our MS NAV instance. This was "required" by our MS Gold partner. Funny how they get concerned that their staff could have picked up the infection from our system and provide their NOC IPs afterwards for whitelisting.
Anywhoo, long story short, we never paid, we simply couldn't. They wanted like $11CAD in ₿ equivalent for a company that nets ~$1m in profit per year. It was a cross-Canada construction products supplier, so we did big revenue numbers, but margins are reasonably tight. Wizard Spider can understand some figures, but they're not accountants. Trying to make them understand that their asking for a decade of profits wasn't realistic was met with meh.
I was lucky that I had stashed some backups in an S3 bucket relatively recently, we "only" lost 2 months of transactions. Most of our systems were Linux, they completely ignored those.
AnsibleAnswers@reddit
It’s also the basic logic of any ransom demand. As far as threat actors go, ransomers and pirates are by far the most honest. It’s in their own interest to be.
rosseloh@reddit
Now if only pirates in multiplayer open world space games could figure this out. (/s - yes I realize that the lack of real-world consequences is why they tend to just act like chaos gremlins instead of actual "pirates")
spyingwind@reddit
Ransomware used to get paid, until one person/group decided not to send the decryption keys.
"All it takes is one person to ruin a good thing." - Somebody
uebersoldat@reddit
Like most of reddit, reality eludes them in favor of ever-shifting ideology.
Ganjanium@reddit
“ShinyHunters” will keep their word but the mysterious threat actor “HuntersShiny” will breach them again in 6 months.
Fairlife_WholeMilk@reddit
If they're breached again via a different method then that wouldn't really be breaking trust. I don't think anyone ever promises to not attack you again.
Ganjanium@reddit
It feels like that’s what Instructure think has been agreeed.
Nix-geek@reddit
I kind of get it. Why do rasomware if you prove that you'll release the data after payment?
QuantumRiff@reddit
United Health paid $22M in bitcoin when one of their companies had both its datacenters completely comprimised and powered down both datacenters: https://www.cnbc.com/2024/05/01/unitedhealth-ceo-says-company-paid-hackers-22-million-ransom.html
the group that got the payment screwed their partners out of it, and the partners still had the data, so they then demanded more ransom: https://hyperproof.io/resource/understanding-the-change-healthcare-breach/
colinzack@reddit
You can tell people in here have never dealt with this before by the replies.
Fairlife_WholeMilk@reddit
Tbf it's a sysadmin sub not cybersecurity
cdoublejj@reddit
until the group splits up in X or Y years and an disgruntled member pulls out a personal back up.
Muggsy423@reddit
As everyone knows, shinyhunters operates with honor, and has totally never just turned around and blackmailed the same company with the same data.
Golden--@reddit
Wouldn't shock me if they had a deadmans switch for if/when they get arrested and it posts everything anyways.
B1tN1nja@reddit
Trust me, I'm a criminal. Trust me bro.
They didn't delete the data. They're just not releasing it...
robreddity@reddit
So is sitting on a glaciered copy and warming it up a year later, under a different name, backstory, set of contrived circumstances. Blackmail is blackmail, and the same motivations that extracted payment once will pay off again because they paid off the first time, and there is no etiquette to crime.
Fairlife_WholeMilk@reddit
Ahh yes the new differently named group just happened to grab that exact same set of data but it totally has nothing to do with the original breach. I am sure everyone will believe that.
ranger_dood@reddit
And has no new data past the date of the original compromise. I'm sure that's totally irrelevant.
Fairlife_WholeMilk@reddit
It's all just a coincidence. I swear it's a new group
draconic86@reddit
Yep. I was gonna say, there's a reason they have a name that they push in their hacks. It's branding. And if they want to keep getting paid, they've gotta keep that brand name "reliable" such as it is. Soon as they start leaking info, there are no more assurances that they can provide to other victims, and the business model collapses.
IT security training likes to make a big fuss about never paying the ransom. But it's kind of an open secret that yeah, sometimes paying the ransom is the winning play you have left, when you're caught with your pants down.
domesticbland@reddit
My child missed two days of coursework. Amazon determines my child’s education. Oh okay, heard.
ciabattabing16@reddit
Look at it like this. Despite major breaches like this in healthcare and private industry every year, no one, absolutely no one, has leaked my information more than my own Federal Government. Thanks to their leaks, and repeated security issues, my family, kids, and extended family all have to have credit freezes and all sorts of things. Yeah, you're probably right, Canvas will likely get nailed again. But so will the government. You just have to operate as if your basic info isn't protected. Because it's not.
FastHotEmu@reddit
Sure, other situations may be worse than this one. But that doesn't really change the fact that this one is an amateurish mess.
FastHotEmu@reddit
Relying on honour among thieves, eh?
These guys are cowardly amateurs. I wouldn't trust a cent to them.
Temporary-Library597@reddit
"Oh, you promise all that data won't be sold after we shell out all this money? I mean, you'll be honest after committing wire fraud and extortion, won't you?"
tmontney@reddit
Payment may seem ridiculous but it's not the issue. They shouldn't have been hit twice in a matter of weeks, they shouldn't be in a position to have to pay. However, I'm not aware of an explanation/PIR so it's unclear how avoidable this was. With these types of institutions, I'd assume a moderate level.
Often times the same attacker will double-dip as they've done here. I believe on the basis of reputation they may not try again. However, there's no saying another attacker (possibly one spun off by the same attacker like a shell corp) won't hit them (due to this messy nature).
Test-NetConnection@reddit
The only way attacks like this stop is the federal government banning cryptocurrency. Crypto has value because it can easily skirt sanctions and can be used for illicit transactions. If ransomware operators need to be paid in USD the transaction can be tracked, which poses to great of a risk. This is our governments fault, plain and simple.
Darkhexical@reddit
There's ways around that as well. Indian phone scammers have been accepting wire transfers for years.
Test-NetConnection@reddit
Those transactions are readily traceable and with enough political will enforceable. At a minimum the government can prevent banks from completing wires to sanctioned countries, a capability that doesnt exist with crypto. Banning crypto is the only way ransomware stops.
ITaggie@reddit
That's really not in the control of the government to do... that's kind of the entire point of it
Test-NetConnection@reddit
Coinbase needs to work with banks to operate. Ban crypto and the exchanges go away. No exchanges means the value of crypto evaporates overnight.
ITaggie@reddit
Exchanges are not a necessity, they're just a convenience. Crypto existed before the big popular exchanges we know today.
xendr0me@reddit (OP)
Plus laws, when you willfully and knowingly comply with a ransom for cryptocurrency then you just become a willing victim.
Test-NetConnection@reddit
The problem with these laws is that there is no way to prove that a victim paid a ransom. There is nothing stopping instructure from buying a shit ton of crypto on coinbase, transferring it to a paper wallet, and then sending the balance to shinyhunters.
Ams197624@reddit
The thing is a federal government might ban cryptocurrency, but that would not stop anyone from actually trading it.
Test-NetConnection@reddit
The issue isn't the trading. It's the legal recognition, regulated exchanges, and ETFs that make crypto function as an asset. If you get rid of the legal recognition to price of Bitcoin will go back to pennies.
xendr0me@reddit (OP)
Then how do you expect the Congress members to get their bribes and off the book money laundering done.
Niceromancer@reddit
6 to 12 months? Try 6 to 12 days.
DiligentPhotographer@reddit
It's the classic costs less to pay the ransom than the money lost being down while restoring backups.
NightOfTheLivingHam@reddit
I have more respect for them if they said yeah we're just going to restore everything from backup fuck these guys
xendr0me@reddit (OP)
Backups? lol
Hebrewhammer8d8@reddit
They have shitty backups and recovery for their data and services if they are paying.
lenswipe@reddit
https://www.reddit.com/r/canvas/comments/1taj9mk/comment/ol9x7p9/
lmfao
0oWow@reddit
I would have a larger measure of trust of a ransomware hacker than I do Microsoft, Apple, Google, Facebook, Amazon, etc...
largos7289@reddit
Yea we don't get much filtered down to the school level here, but we were informed that it was down and that there was an incident. We would have not have gotten this info, thanks.
Sengfeng@reddit
There’s truth to “honor among thieves.” If they shake someone down and then release the data, there’s zero chance anyone would ever pay a ransom again.
antanith@reddit
Hey guys, ShinyHunters must have provided a SOC2, ISO27001, or CyberEssentials Plus certification and the accompanying data deletion policies. /s
antanith@reddit
ShinyHunters must have provided a SOC2, ISO27001, or CyberEssentials Plus certification and the accompanying data deletion policies. /s
Bodycount9@reddit
Now I wonder how much they paid them in bitcoin.
Confident_Tour8432@reddit
They likely paid the ransom at the advise of the FBI. They wouldn't have done so unless it was advisable.
TimePlankton3171@reddit
The rudicule isn't about paying the ransom
xendr0me@reddit (OP)
https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/ransomware
"The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. "
In Florida, we (government entity) are actually not permitted by law to pay any ransomware.
AdvancedWrongdoer@reddit
I feel like it was pretty obvious they paid the ransom. They demanded pay by end of day and my district got emails saying access will be restored by end of day.
I mean, I didn't need to think too hard to put two and two together to know they caved. I'd say 'what else could they have done' but if there were solutions, it was probably easier to just fork over the money at this point. Kind of a shame.
Zathrus1@reddit
Counter argument - do you have proof of this group ever doing so?
The far more likely thing is that they datamine for useful information to blackmail others that’s not directly traceable back to Canvas.
And 100% they will try to break password encryption and use that to try and hack other sites with the same credentials. But idiots that reuse passwords couldn’t possibly track that back to any particular hack.
Muggsy423@reddit
See the powerschool hack by the same group. Other groups go ahold of the same data and tried to squeeze powerschool for more money after the fact.
Zathrus1@reddit
Thanks. Given that it was a very similar target, I’d certainly be concerned about the validity of their statement.
And contrary to what others are saying, this doesn’t look like a cohesive, corporate-like group.
Muggsy423@reddit
It's not. It's a bunch of criminals that talk to each other through telegram and dark web onion sites and agreed to a funny meme group name based on pokemon.
Look at who they have targeted, there's a reason there are so many school infrastructure companies on the list, it is angsty teens with too much time on their hands hacking systems they are forced to interact with.
jwalker55@reddit
The assurances: trust me bro
CeC-P@reddit
Anyone who pays a ransom should go straight to jail for funding terrorism, drug rackets, foreign adversaries, and encouraging and funding criminal hackers.
SpotlessCheetah@reddit
They did the opposite of what the FBI has said for about a decade now.
CBOW_IT@reddit
This group is supposed to be true to their word, for whatever that is worth. These ransomware groups do try to adhere to a pretty strict honor code when it comes to this stuff because if they didn't companies wouldn't pay.
It sounds absurd, but most of these groups run like real businesses with the same hierarchy and bull shit as the normal corporate world. Odds are they still have a copy somewhere and the real threat is if the group disbands or they have some disgruntled threat actor that decides to say fuck it and dump all the stuff they supposedly "deleted".
Indecisive-one@reddit
I doubt your infosec team has the same overconfidence in your infrastructure as you do.
madbadger89@reddit
No infosec team does. In God we trust, all others bring data.
Jaereth@reddit
Buddy of mine said a consultant they hired recently - like in 2025...
requested that they Email back all the PDFs he had provided to them when they terminated his contract.
Like yeah dude, i'm not surprised you're getting fired...
Dosordie76@reddit
If one thing is certain nothing is secure, others are just less secure. They are lazy bitches heading for the low hanging fruits as we all do.
uebersoldat@reddit
It's generally a finely-tuned system. Ne'er-do-wells have already looked at the company's books. They'll ask for an amount that won't kill them (in an effort to actually get paid) or a sum just over what their cyber-insurance will pay.
They aren't out to cancel you or stalk your family and have nothing against you or your company personally. They are just looking to get paid and to those ends they won't destroy you.
Bluetooth_Sandwich@reddit
What does it matter? There is no accountability at this level, getting upset over it does nothing. That's not even touching on the fact that these type of breaches coincidentally provide free data to the various brokers & AI companies that otherwise wouldn't have access to such data.
Smells like shit to me
gurilagarden@reddit
Tech-bro ego is so weird, and it's statements like this that really make me cringe. Give me an hour, a paper clip, duct tape, and proper motivation and i'll have complete control of your internal network. Nothing is safe, stop pretending you know what you're doing, and that everyone around is just less competent that you.
pdp10@reddit
They may or may not be idiots, but they most assuredly think little of their audience.
Humble-Plankton2217@reddit
I can't believe they paid. They're globally known as a "paying customer" now, and more attacks are surely imminent.
cdoublejj@reddit
!remindme 10 months
cdoublejj@reddit
DO attribute what can be impenitence as malice !
FedUpWithPeople26@reddit
My gosh, how naive can you (Canvas) be?
bjc1960@reddit
Any OFAC violations with this payment?
Superb_Raccoon@reddit
RICO?
Great_Witness_1871@reddit
but how does this whole things works actually?
Ams197624@reddit
RemindMe! 6 months
indigo196@reddit
This is why companies continually fail to protect data.
Any company that suffers a data breach of this nature needs to have its executive team (CEO, CFO, CTO, CIO) fired. Period. If they have a board of directors, those people should be removed and prevented from sitting on any other board. Period. If that was true, you can bet the appropriate steps would be taken to secure data.
xSecondSalt@reddit
So just like PowerSchool.
I’m sure the bad guys will for sure do the right thing. For sure.