Never, right?! What has motivated this blog post was this report (Kathryn Palmer, Inside Higher Ed, 11 May 2026) that Instructure (the company that owns Canvas) has paid an undisclosed ransom to a gang of cybercriminals that hacked the company’s learning management system (twice!) earlier this month. Here is some background:
- “ShinyHunters” (a black-hat criminal extortion group active since 2019; Wikipedia)
- “2026 Canvas security incident” (also via Wikipedia)
- “The Canvas hack is a new kind of ransomware debacle” (Lily Hay Newman & Andy Greenberg, Wired, 8 May 2026)
- “Visualization of nationwide Canvas breach” (Ajith Araiza-Singh & Luca Vicisano, The Daily Californian, 8 May 2026)
Now, to the business at hand: when, if ever, should ransomware be paid? Below are links to some of the scholarly literature (ungated or open access*) on the economics and law of ransomware payments, in alphabetical order by author:
- “To pay or not: game theoretic models of ransomware” (Edward Cartwright et al., Journal of Cybersecurity, 2019)
- “Should we outlaw ransomware payments?” (Debabrata Dey & Atanu Lahiri, Proceedings of the 54th Hawaii International Conference on System Sciences, 2021)
- “Ransomware: to pay or not to pay?” (Cath Everett, Computer Fraud & Security, April 2016)
- “Should the ransomware be paid?” (Rui Fang et al., ArXiv, 15 October 2020)
- “Cyber insurance and the ransomware challenge” (Jamie MacColl et al., University of Kent, 2023)
- Bonus link: “The average cost of a ransomware attack in 2024 was $5.13M …” (Jason Firch, 6 October 2025)
* There is a special circle in Hell for the editors and publishers of gated scholarly journals.
prior probability 