Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

cyberagroup

As we suspected and posted earlier, Instructure confirmed today that a ransom was paid to ShinyHunters in the recent massive breach of Canvas LMS, which affected major educational institutions worldwide including many Canadian schools. The company used PR speak saying they had "reached an agreement with the unauthorized actor". 

 

Trying to minimize the situation, Instructure notes: "the data was returned to us" and "we received digital confirmation of data destruction (shred logs)." Trusting a cybercriminal's "guarantee" of data destruction is a massive security fallacy. Here is why the data remains a highly active threat, despite the company's PR spin:

 

1. Digital Data is Copied, Not "Returned"

 

Infinite Replicability: Unlike physical objects, stolen data is duplicated. Once exfiltrated, it can be copied to countless offline drives or rogue servers before a ransom is even discussed. The "Shred Log" Illusion: A digital shred log only proves that a file was deleted on one specific server. It offers zero proof that the attackers didn't make multiple backups right before hitting the delete key. It is essentially a meaningless receipt.

 

2. The Criminal Ecosystem is Decentralized

 

The Affiliate Problem: Groups like ShinyHunters operate in a decentralized ecosystem involving Initial Access Brokers (IABs) and independent affiliates. Even if the main extortionist honestly deletes their copy, the lower-level hacker who initially stole it almost certainly kept a backup to monetize later. Zero Honor Among Thieves: ShinyHunters and similar syndicates have a well-documented history of double-crossing victims; taking the money and later selling or leaking the data on dark web forums anyway, sometimes after waiting for the heat to die down.

 

3. The Threat is Delayed, Not Neutralized

 

The data that was taken is permanently compromised. Criminals routinely hold onto stolen information for:

 

  • Secondary Extortion: Demanding another payment months later, knowing the company (or in this case almost 9,000 other institutions) may be willing to pay again.

 

  • Targeted Phishing: Using the stolen internal records to craft highly convincing scams (vishing) to bypass Multi-Factor Authentication (MFA).

 

  • Long-Term Fraud: Silently selling the data to identity thieves and credential-stuffers over the coming years.

 

A criminal's "promise" does not un-copy a file. If your institution's data was involved, a rigorous technical investigation is still required to verify exactly what was stolen. You cannot trust that the files ShinyHunters "returned" represent the entirety of the breach. Affected institutions must operate under the assumption that their data remains fully compromised... because it is.