Thousands of Schools Hit by Ransomware on Canvas LMS as Finals Near

Thousands of schools and universities across the United States and Canada were thrust into disarray this week after the popular learning management system (LMS) Canvas, developed by Instructure, was crippled by a sophisticated ransomware attack. The incident, first reported by SecurityWeek, caused widespread outages just as students prepared for end‑of‑term finals, forcing educators to scramble for alternative assessment methods.

Threat‑intelligence researchers say the attackers exploited a known vulnerability in a third‑party VPN concentrator used by Instructure’s cloud‑hosted infrastructure to gain initial access. The malware, identified as a variant of the BlackCat/ALPHV ransomware family, propagated through the internal network, encrypting virtual machines that host the Canvas database and web services. The ransomware note demanded a multi‑million‑dollar payment in exchange for decryption keys and threatened to leak stolen student data on a dark‑web leak site if the ransom was not paid within 72 hours.

Instructure confirmed the breach in a statement released late Tuesday, saying its incident‑response team had isolated the affected systems and engaged a leading digital‑forensics firm. The company also notified the FBI’s Cyber Division and the U.S. Department of Education. As a precautionary measure, the firm temporarily suspended password resets and disabled API integrations while the remediation effort was underway.

The attack highlights a growing supply‑chain risk for educational institutions that rely on SaaS platforms. Security experts warn that without robust multi‑factor authentication, timely patching of external‑facing services, and clear incident‑response playbooks, schools remain attractive targets for ransomware groups. Institutions are advised to review their backup strategies, enforce least‑privilege access controls, and monitor for Indicators of Compromise associated with this campaign.