In the wake of a massive data breach affecting hundreds of millions of students worldwide, the debate over whether companies should pay ransoms to hackers rages on. The US tech firm Instructure, which operates the education platform Canvas, recently faced a ransomware attack that led to the theft of student data, assignment delays, and defaced login pages. The hackers, known as ShinyHunters, demanded a ransom to prevent the release of 3.6TB of sensitive data. The company's response and the ethical implications of paying ransoms are under scrutiny, with experts weighing in on the matter.
The Ransom Debate
The decision to pay a ransom is a complex one, as governments worldwide advise against it, yet many companies ultimately do so. In Australia, paying ransoms to designated attackers could be a criminal offense, with the sanctions office considering each case individually. The average ransom paid in Australia was $711,000, according to a McGrathNicol report, with 64% of businesses deciding to pay and 81% willing to do so hypothetically.
Ethical Considerations
The ethical dilemma lies in the question of whether paying a ransom guarantees the safety of data and prevents further harm. The hackers' motives and the reliability of their promises are in question. As Darren Hopkins, head of cyber at McGrathNicol, points out, hackers have a business model that relies on trust, and they may provide evidence of data destruction, but there's no way to validate their claims.
The Impact of Ransom Payments
The impact of ransom payments on hacker behavior is also a concern. Luke Irwin, an Aegis Cybersecurity expert, suggests that paying ransoms may not always prevent data release or end threats. The Akamai ransomware report supports this, stating that not paying ransoms reduces the effectiveness of the attack vector, making it less attractive to hacker groups. However, the report also acknowledges that outright bans on ransom payments are rare.
A Complex Decision
In the case of Instructure, the company's statement regarding the 'agreement' with the hackers is carefully crafted, leaving room for interpretation. The decision to pay a ransom is a risk-driven one, as Instructure is dealing with a criminal organization. The company's priority is to protect its customers and prevent further harm, but the ethical implications and the potential for future attacks remain a concern.
In conclusion, the debate over paying ransoms is a complex one, with no easy answers. While governments advise against it, companies face the challenge of balancing ethical considerations with the need to protect their data and customers. The incident with Instructure highlights the ongoing struggle between businesses and cybercriminals in the digital age.
