Plausible Diligence: Why Instructure paid the ransom, and you would too!

I give a talk called “DARVO: The Psychological Manipulation of Ransomware Victims”. If you’ve seen it, you know the basic thesis is that ransomware actors are not just technical adversaries. They are expert manipulators who understand pressure, timing, and human psychology better than most Fortune 500 marketing teams.

When ransomware group ShinyHunters attacked Instructure, the maker of Canvas used by almost every K-12 and higher education institution, and Instructure paid the ransom, the internet responded as expected. Security “experts” jumped on X and piously voiced their concerns, law enforcement officials anxiously wrung their hands and expressed curt disapproval, and countless others posted their opinions on blogs and news sites about why paying the ransom was such a bad idea.

And almost all of them were written by people who have never had to make that decision.

The anti-ransom crowd occupies a particularly comfortable perch. They’re mostly law enforcement administration, government agencies, security vendors, and journalists. People whose jobs don’t end if the data gets leaked. People who don’t have to look shareholders, school boards, or parents in the eye the next morning.

Instructure paid. And you probably would too.

ShinyHunters breached Instructure’s systems in late April 2026, exploiting a vulnerability in the Free-for-Teacher version of Canvas. They walked out with 3.65 terabytes of data, including names, email addresses, student ID numbers, course enrollments, and private messages between students and teachers. Records on roughly 275 million individuals across nearly 9,000 schools.

And this is not Instructure’s first visit to the octagon with this particular crew. ShinyHunters had already compromised Instructure through social engineering back in September 2025. A different system, and a different method, same attackers. Same company getting hit twice inside of eight months. Ouch.

But for now, let’s talk about what makes this case different from your standard corporate ransomware incident. What makes this one harder. What cranks the pressure up to a level that changes the decision calculus entirely.

It’s the kids.

There is a psychological dimension to ransomware targeting that doesn’t get discussed enough outside my talk. These groups are not randomly opportunistic. They pick timing the way surgeons pick incisions. ShinyHunters hit Instructure at the end of the academic year, during final exams, during AP testing season. Canvas went dark for thousands of colleges, universities, and K-12 schools at the exact moment those schools needed it most. That’s not an accident.

And the data! Private messages between students and teachers. Not just names and email addresses which are bad enough. Actual Messages. The kind of information that, if leaked, doesn’t just cause embarrassment. It causes real harm to children who cannot protect themselves, who didn’t choose to be in this system, and who had no say in whether their school used Canvas or not.

Ask the Minneapolis Public Schools district how this plays. They got hit in 2023. The attackers eventually released the data. It included psychological evaluations of students. Abuse documentation. It was a catastrophe measured in human damage, not just data records. Law enforcement “investigated”. No ransomware actor went to prison for it. No administrator held responsible. No family got their child’s records back.

There is no cavalry coming. Check me on that. Law enforcement might call you back. If your organization is important enough, someone might show up and deliver some nicely worded victim care. Your incident response firm is just there to put the pieces back together. Neither will recover your data. Neither will stop the leak. When you are staring down a countdown clock and the data on that clock belongs to other people’s children, the abstraction of “don’t reward criminals” has a hard time competing with the concrete reality of what happens if you don’t.

I hold Instructure responsible for being compromised. Absolutely. Not once, but twice, by the same group. That’s not bad luck; that’s a systemic failure in security posture. The first breach in September 2025 should have been a wake-up call. It apparently wasn’t, or wasn’t loud enough. Being compromised twice by the same threat actor in eight months is a process and leadership problem, not a technology problem. That’s on them.

But the payment? No hate there. That’s a business decision made under extraordinary pressure by people who had to live with the consequences. If you were sitting in that CEO chair, with 275 million records on the table and a countdown clock ticking down during finals week at 9,000 schools.

But here’s the part nobody wants to say out loud. The part that’s been quietly driving corporate ransom decisions for years, while the security industry pretends otherwise.

Paying the ransom buys something that isn’t data recovery or system restoration. It buys documentation. It buys a paper trail. It buys what I’m calling “plausible diligence”.

Most of us have experience with plausible deniability. The art of having enough distance to say “don’t blame me, I didn’t know.” Plausible diligence is its corporate cousin. It’s having enough documentation to say “Don’t blame us, we tried our hardest.” It is the deliberate practice of checking every box, engaging every vendor, exhausting every option, and generating a paper trail of effort , so that when the thing fails anyway, the failure attaches to circumstances rather than to negligence.

Yes, Instructure paid the ransom. In exchange, they received, per their own statement, the return of the stolen data and “digital confirmation of data destruction.” They were also informed that none of their customers would be separately extorted. They said they believed “it was important to take every step within our control to give customers additional peace of mind.”

“Every step is within our control”, think about that.

That is not a security statement, it’s a legal statement. That is the founding sentence of a liability defense.

When the lawsuits come, and they will come, because 275 million records across 9,000 schools is not a quiet incident, Instructure’s lawyers will walk into that courtroom and say: we detected the breach, we contained it, we engaged expert forensic vendors, we negotiated to recover the data, we obtained confirmation of destruction, and we notified our customers. “We did everything. The criminals lied to us. Blame them.”

Fully understand that the data is still out there. That’s how this works. ShinyHunters doesn’t actually delete anything, or, if they do, another group with a different name and the same data surfaces six months later. The “confirmation of destruction” is not a guarantee any serious security professional believes. Instructure’s own statement acknowledged there is “never complete certainty when dealing with cyber criminals.”

They paid anyway. Because plausible diligence isn’t about what actually happens to the data. It’s about what you can document you did about it.

Instructure did what cornered organizations do. They paid for something real, protection from immediate harm, and something less real but arguably more important: a documented record of having tried everything. A paper trail of effort that says, to regulators, to plaintiffs, to school boards and parents and lawyers, “Don’t blame us. We paid for an assurance and received documentation of its destruction.

That’s not justice, it’s not good security policy, but it’s how the game is actually played.

Until we fix the conditions that create the game, such as inadequate security investment by business leadership, the complete vacuum of real government response, and the absence of consequences for attackers, companies will keep playing it.

Paying the ransom makes the problem worse. But I’d probably pay it. And you would too!

News…

First… the Verizon DBIR was released. I didn’t miss it. There just isn’t room in this issue for me to talk about. Come back next week.

This report by HPE Threat Labs claims it studied 44.5 million connection attempts from 372,800 unique IP addresses and determined that the “top threat actor country by IP count” was… drumroll… the United States. Wait what? Are you saying the number-one source of criminal intrusion attempts is the United States? I must be misunderstanding that. Or they are only claiming that most threat actors are exiting from nodes based here in the states. https://www.hpe.com/psnow/doc/a50014950enw

Cofense details how attackers are using Zoom-themed phishing emails to trick victims into installing ConnectWise ScreenConnect. https://cofense.com/blog/click-install-compromised-the-new-wave-of-zoom-themed-attacks

Apple claims to have prevented 2.2 billion dollars in potentially fraudulent transactions through the App Store and deactivated 40.4 million accounts for fraud and abuse. https://9to5mac.com/2026/05/20/apple-gives-update-on-the-app-store-and-its-key-protections/

The FBI has issued an advisory warning about Kali365, a “Phishing-as-a-Service” platform distributed via Telegram that enables attackers to compromise Microsoft 365 accounts by capturing OAuth tokens instead of stealing passwords. The tool delivers AI-generated phishing lures that impersonate trusted services such as Adobe and SharePoint, tricking users into authorizing malicious device sessions on legitimate Microsoft login pages. https://therecord.media/fbi-warns-of-kali365-phishing-attacks

Feedback

Send Feedback to matt(at)threatswithoutborders.com

dfir

The evidence of an Apple FaceTime call and what Apple can provide. https://lucidtruthtechnologies.com/facetime-evidence-apple-subpoena/

Share Threats Without Borders

Cool Jobs

Intelligence Specialist - FinCEN. https://www.usajobs.gov/job/869413300

Director of Security - Politico. https://politico.wd108.myworkdayjobs.com/politico/job/Arlington-VA/Director-of-Security_JR100411

Cool Tools

OFAC Sanctions Search. https://sanctionssearch.ofac.treas.gov/

Bookmark this so you don’t have to keep asking for it on some email listserv - Bank Identification Number (BIN) search. https://binlist.net/

Irrelevant

Top 100 valued Bitcoin wallets. https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html

Sign Off

The BSides Harrisburg 2026 conference is happening this Friday, May 26th, at the Farm Show Complex in Harrisburg. This marks my fourth year volunteering and my third year as a room emcee.

Please find me in the Track 1 room and say hi. I’ll be the person on stage introducing speakers and gently cutting them off if they go over time. Despite how stressed I might look, meeting TWoB readers is always a top priority for me. Please come and introduce yourself.

And tickets are still available. https://www.bsideshbg.com/

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.