(Credit: Ian Moore/PCMag/Shutterstock)
After a massive breach that affected more than 9,000 institutions, Canvas, a learning platform used by schools and universities across the country, reached a “settlement agreement” with hackers in exchange for data, which includes students’ usernames, email addresses, course titles, enrollment information, and messages. This comes after it went offline last week following its second security breach of the year. We don’t know the details, but it’s reasonable to assume that, as part of the agreement, Canvas’s parent company, Instructure, may have paid the hackers a ransom to regain access. According to the company’s incident response page, the agreement requires hackers to return the stolen data, shred the logs, and agree not to extort Instructure’s customers.
That’s probably not where this story ends. Paying ransom money rarely solves the underlying issue with ransomware. As with any type of ransom, you’re paying first in the hopes that someone who committed a crime will hold up their end of the bargain, and hackers rarely do. Instead, companies should invest that money in privacy-first tools and policies, and get help from security professionals to protect against ransomware attacks before they occur.
Ransomware Attacks Are Accelerating Across Industries, and Education Isn't Immune
According to recent research from NordStellar, ransomware attacks increased by 45% in 2025. Ransomware is malicious software that encrypts your files or locks users out. Basically, hackers get into your system, take your data, and hold it hostage until you pay. Hackers often threaten to publish the data on the dark web, potentially exposing the company’s customers and employees to extortion, phishing, or other threats.
"Ransomware actors are growing more aggressive—given the surge in 2025, ransomware incidents in 2026 are likely to exceed 12,000," said Vakaris Noreika, a cybersecurity expert at NordStellar.
Smaller Organizations Are Often the Easiest and Most Frequent Targets
Ransomware attacks are major headaches for companies of any size, in any industry, not to mention individuals. That said, the NordStellar research showed that smaller businesses with fewer than 200 employees and revenues under $25 million were most affected in 2025.
Attackers usually get into a company’s system via the typical scam avenues: fake ads, phishing links in emails, or social engineering. Some criminals even sell premade exploit kits on the dark web, eliminating any need for coding expertise.
Paying the Ransom Rarely Ends the Problem—And Often Creates New Ones
Common advice from experts after a ransomware attack is to stand your ground and not pay up. After all, there’s no guarantee hackers won’t sell the information they stole from you to your competitors, and the key they give you to decrypt your data (if they even give you one after paying) may not even work. The long-term implications are pretty bleak, too. Criminals now know your company will pay if they disrupt your services. Even worse, some hackers leave backdoors or other entry points behind, allowing them to return to pull the same scheme later, or sell access to your data to other criminals.
If you don’t want to listen to me, listen to the FBI. The agency’s website notes, “Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
So, Why Do So Many Organizations Still Pay?
According to a study from threat response agency Arctic Wolf, 74% of companies, or their representative cyber insurance company, chose to pay at least some of the ransom in 2023. Some victims even end up paying the attackers more than once. In other words, many companies treat ransom payments as just another line item on an expense report or hand them over to an insurance company.
This is especially apparent when the ransom payment demanded is in the thousands, rather than millions of dollars. When companies compare the costs of repairing reputational fallout, paying compliance penalties, and remediation fees after a breach, it’s no wonder so many choose to pay up. Sometimes it’s also in the company's best interests to pay quickly to avoid blackmail or extortion or to prevent downtime.
Prevention Is Cheaper Than Recovery—But Still Widely Underprioritized
Before you build a ransom payment fund into the budget, remember that an ounce of prevention is worth more than a pound of cure. That’s why Noreika recommends developing ransomware response and recovery plans before an attack occurs.
"For early threat prevention and detection, intelligence is key, “ said Noreika. ”An early alert enables organizations to reset passwords, revoke access keys, disable compromised accounts, and support faster incident response."
Creating a work culture that takes digital hygiene seriously is important, too. That means requiring everyone to use multi-factor authentication for their accounts, using password managers, and regularly patching software and systems to detect and close new entry points. But that’s not all you can do. For more security advice for small businesses, check out our business security tips, the best ransomware protection tools we’ve tested, and our favorite small business security suites.