ShinyHunters Escalates Canvas Extortion with School-by-School Ransom Campaign
The ShinyHunters ransomware group has escalated its attack on Instructure's Canvas LMS by defacing hundreds of institutional login pages with ransom demands after an initial deadline passed.
The education sector is facing an unprecedented extortion campaign as the ShinyHunters ransomware group escalates its attack on Instructure, the company behind the widely used Canvas Learning Management System. After stealing 3.65 TB of data from 8,809 educational institutions, the group has now launched a school-by-school ransom campaign, defacing approximately 330 institutional Canvas login pages with direct payment demands.
The original compromise occurred on April 25, when ShinyHunters exploited a vulnerability in the Free-For-Teacher version of Canvas to gain unauthorized access to Instructure's systems. The breach resulted in the exfiltration of roughly 275 million records, making it one of the largest education sector data breaches in history. The group initially posted a ransom demand on its data leak site with a deadline of May 8, threatening to leak the stolen data if the demand was not met.
After the initial deadline passed without payment, ShinyHunters extended the deadline and shifted tactics. According to researchers at Halcyon, the group began a targeted school-by-school extortion campaign, defacing Canvas login pages with ransom notes that called for affected institutions to negotiate a settlement before the data is leaked on May 12. The defacement messages specifically noted that Instructure had not contacted the ransomware group and had instead installed security patches.
Raluca Saceanu, CEO of cybersecurity company Smarttech247, commented on the timing of the attack: "ShinyHunters have timed this attack to sting as much as possible: with schools and universities approaching the end of their academic years, and exam season already underway. Striking now piles the pressure on both Canvas and affected institutions to force a sizeable ransom payment."
The affected institutions span a wide range, including universities, colleges, school districts, education providers, corporate training environments, test and stage instances, and generic or root accounts. This broad scope means that millions of students, faculty, and staff may have had their personal data compromised, including names, email addresses, and potentially financial information.
Instructure has responded by applying security patches to address the vulnerability exploited by ShinyHunters, but the company has not engaged with the attackers. The group's note explicitly stated that Instructure had not contacted them, suggesting that the company is pursuing a policy of non-negotiation with ransomware actors. However, this approach has not deterred the attackers from continuing their extortion campaign.
Security experts are urging affected organizations to take immediate action. This includes changing any Canvas-related passwords as soon as possible and enabling multi-factor authentication wherever available. Both staff and students should be warned to remain vigilant against convincing phishing emails or fake login prompts that reference real schools, classes, or teachers. Parents and students should also monitor financial and credit activity over time, as stolen personal data can be misused years later.
The ShinyHunters group has a history of high-profile data breaches and extortion campaigns, and this attack on the education sector highlights the growing threat to institutions that hold vast amounts of sensitive personal data. The school-by-school approach represents a new escalation in ransomware tactics, applying direct pressure on individual victims rather than targeting only the parent company. As the May 12 deadline approaches, the education sector remains on high alert for potential data leaks and further extortion attempts.