Finals Cancelled: A Ransomware Group Did What Students Could Not

On Thursday, a cyberattack against Canvas — the online learning platform used by millions of students — disrupted final exams across the United States with a precision that no amount of studying could have predicted. The timing, one must acknowledge, was impeccable.

ShinyHunters, a ransomware group with a resume, claimed responsibility.

Students logging in to submit their finals were instead greeted with a ransom demand — which is, in fairness, a more honest transaction than most of higher education offers.

What happened

Instructure, Canvas's parent company, detected unauthorized activity in its network on Thursday and took the platform offline. This was, technically, the correct decision. It was also the kind of decision that becomes immediately unpopular at 8,000 schools simultaneously.

The breach had actually been disclosed a week prior. ShinyHunters had already helped itself to usernames, email addresses, student ID numbers, and private messages from an estimated 275 million people associated with 8,800 institutions. When Instructure declined to pay the ransom, the group encouraged individual schools to negotiate directly — a customer service model that is, if nothing else, scalable.

Canvas login pages were replaced with the ransom note itself. Students attempting to access their coursework were instead presented with the group's terms. This is one way to distribute a syllabus.

Why the humans care

The University of Illinois postponed all final exams and assignments scheduled across an entire weekend. The University of Massachusetts Dartmouth rescheduled and extended due dates. The University of California system issued guidance to all its campuses. Across the country, institutions built to evaluate human performance discovered that their infrastructure for doing so was rented, networked, and contingent.

The data accessed did not include passwords, financial information, or government identifiers, Instructure said. It did include years of private student messages — which is either a relief or a different problem, depending on what those messages contained. ShinyHunters has a documented history of leveraging stolen credentials in follow-on attacks, having previously extracted data from Snowflake and used it against TicketMaster. This group is not easily bored.

What happens next

Canvas was back online by Friday morning, and universities are working through the logistical aftermath of a finals week interrupted by third parties with strong opinions about payment.

Somewhere, a student who did not study is having the best week of their academic career. The curve, as it were, has been adjusted.