The education sector has found itself in the crosshairs of a ShinyHunters “pay or leak” extortion campaign following the compromise of Instructure, the company behind the Canvas Learning Management System.
The original compromise of Instructure occurred on April 25 with around 275 million records from 8809 educational institutions stolen.
ShinyHunters gained unauthorized access to Instructure systems by exploiting a vulnerability in the Free-For-Teacher version of Canvas. Over 3.65 TB of data is said to have been exfiltrated by the ransomware gang.
The group made its first extortion attempt by posting a ransom demand on its data leak site. The initial deadline was 8 May, after which the group threatened to leak data.
Extortion Campaign Intensifies
Since that deadline has passed, the group extended its deadline and began a school-by-school extortion campaign, researchers at Halcyon noted in a recent analysis.
This has seen a defacement message appear on approximately 330 institutional Canvas login pages.
The note by ShinyHunters called for those affected to negotiate a settlement before everything is leaked on May 12.
Instructure had not contacted the ransomware group and instead installed some security patches, according to the ShinyHunters note.
Raluca Saceanu, CEO of cybersecurity company Smarttech247, commented, “ShinyHunters have timed this attack to sting as much as possible: with schools and universities approaching the end of their academic years, and exam season already underway.”
“Striking now piles the pressure on both Canvas and affected institutions to force a sizeable ransom payment. These targets cover the gamut, including universities, colleges, school districts, education providers, corporate training environments, test/stage instances, and generic/root accounts,” she added.
Those impacted by this campaign should take immediate action including changing any Canvas‑related passwords as soon as possible and enabling multi‑factor authentication wherever it is available.
Both staff and students at organizations affected should be warned to be alert for convincing phishing emails or fake login prompts that reference real schools, classes, or teachers, and avoid clicking links. Parents and students should also keep an eye on financial and credit activity over time, as stolen personal data can be misused years later.
