[Freak_NL]

The same group has a reputation to uphold (i.e., that of 'honourable' criminals), so they just move on to the next target, who will, incidentally, know that they are absolutely true to their word. (This is why paying off ransomware hackers is being made illegal in a number of countries.)

A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.

[felooboolooomba]

So they hacker group could create an unregistered subsidiary and hack some more?

[Freak_NL]

Sure. In all likelihood ShinyHunters will 'gracefully' point out the weak spots leveraged in the system of the 'customer' upon receiving payment to prevent this happening again next week.

They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.

[OneDeuxTriSeiGo]

They could but also why would they?

They can always just hack them again but with a different method this time.

The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.

As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.

Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.

They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.

[esafak]

If you squint you can think of it as pen-testing done economically right: how much do you really value your data??

[OneDeuxTriSeiGo]

NGL that's pretty much what it is.

On the one side you have white hat hackers and pen-testers who you pay a contract or salary to prod your system. If you really piss them off (i.e. by stiffing them of their pay) some might just steal your data and threaten to leak it unless you pay them.

On the other side are black hat hackers who will drive by your system and if they find a way to break in they'll offer to keep your data private for a ransom fee. And maybe if you have some charisma, decent pay, and/or a good repertoire you might recruit them on/convert them into white hats for your org.