The education platform Canvas was forced into maintenance mode Thursday after parent company Instructure suffered a data breach affecting over 8,800 schools, according to hackers claiming responsibility for the attack. The ShinyHunters group has been demanding ransom payments since May 1, disrupting universities including Harvard, Columbia, Rutgers, and Georgetown during critical finals periods.
The Canvas incident represents the latest in a series of high-profile cyberattacks targeting critical infrastructure and major organizations. Recent weeks have seen Iranian state actors masquerading as ransomware groups, a Latvian cybercriminal sentenced to 8.5 years for extortion, and over 40,000 servers compromised through a cPanel vulnerability.
Canvas Breach Impacts Thousands of Educational Institutions
Instructure’s Canvas platform serves millions of students and faculty across higher education and K-12 school districts. According to Wired, the ShinyHunters group claims their breach affected more than 8,800 schools, though the exact scope remains unclear.
Steve Proud, Instructure’s chief information security officer, confirmed in incident updates beginning May 1 that the company “recently experienced a cybersecurity incident perpetrated by a criminal threat actor.” The compromised data includes student names, email addresses, student ID numbers, and messages exchanged through the platform.
The timing proved particularly disruptive, with many institutions in the midst of final examinations and end-of-year assignments. Universities sent emergency alerts to students about Canvas unavailability, forcing educators to scramble for alternative submission methods and communication channels.
Canvas was marked as “fully operational” by Wednesday, though the incident highlighted the vulnerability of centralized educational technology platforms that serve thousands of institutions simultaneously.
Iranian APT Group Masquerades as Chaos Ransomware
The Iran-linked APT actor MuddyWater has been observed conducting espionage operations while masquerading as a ransomware attack, according to Rapid7 research. The campaign, observed in early 2026, relied on social engineering through Microsoft Teams to gain initial access to victim organizations.
Attackers established screen-sharing sessions with employees, allowing them to steal credentials, manipulate multi-factor authentication protections, and compromise accounts. “While connected, the TA executed basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files,” Rapid7 reported.
The threat actors deployed remote management tools including AnyDesk and DWAgent to maintain persistent access. They conducted reconnaissance, credential harvesting, and data theft operations typical of espionage campaigns but never deployed file-encrypting ransomware.
Instead, the attackers sent extortion emails claiming to have stolen information and threatening to leak it unless ransom was paid. They directed victims to the Chaos ransomware leak site, which listed the organization as a new victim, suggesting Chaos artifacts were planted as false flags to hide state-sponsored activity.
Karakurt Ransomware Negotiator Receives 8.5-Year Prison Sentence
Deniss Zolotarjovs, a 35-year-old Latvian member of the Karakurt ransomware gang, was sentenced to 8.5 years in US prison for his role in extorting victims. Zolotarjovs was arrested in Georgia in December 2023, extradited to the US in August 2024, and pleaded guilty in July 2025.
Karakurt, associated with the infamous Conti group and also known as TommyLeaks and Schoolboys Ransomware Gang, targeted organizations across multiple industries between 2021 and 2023. The group specialized in stealing personally identifiable information including names, addresses, Social Security numbers, and healthcare data.
During Zolotarjovs’ involvement from June 2021 to March 2023, Karakurt attacked at least 53 entities, causing $56 million in losses. Court documents show Zolotarjovs analyzed stolen data and conducted ransom negotiations, receiving 10% of negotiated payments in cryptocurrency.
In one particularly egregious case, when a pediatric healthcare company delayed payment, Zolotarjovs helped escalate pressure and recommended publishing pediatric patient data online. He converted cryptocurrency payments through multiple wallets before exchanging them for Russian rubles.
RansomHouse Claims Responsibility for Trellix Cybersecurity Firm Hack
The RansomHouse ransomware group has taken credit for attacking cybersecurity firm Trellix, adding another high-profile victim to their leak site. Trellix announced earlier this week that part of its source code repository had been breached, though the company stated it found “no evidence that our source code release or distribution process was affected.”
RansomHouse published screenshots appearing to show access to Trellix’s internal services and management dashboards, though they haven’t specified the volume or type of stolen data. The timing suggests a potential connection to recent supply chain attacks linked to TeamPCP and Lapsus$ groups that have targeted multiple cybersecurity firms including Checkmarx, Aqua Security, and Bitwarden.
RansomHouse emerged in 2022 as a ransomware-as-a-service provider targeting large enterprises. The group encrypts victims’ files and steals valuable data to increase ransom payment likelihood. Their Tor-based leak website currently lists more than 170 victims across various industries.
Trellix confirmed awareness of RansomHouse’s claims and stated it’s investigating the matter. The incident underscores the irony of cybersecurity firms becoming targets themselves, potentially compromising tools and intelligence used to protect other organizations.
Over 40,000 Servers Compromised Through cPanel Zero-Day Exploitation
More than 40,000 servers have been compromised in an ongoing campaign exploiting CVE-2026-41940, a critical authentication-bypass vulnerability in cPanel & WebHost Manager, according to The Shadowserver Foundation. The vulnerability provides unauthenticated attackers with administrative access to cPanel, allowing complete system takeover.
https://x.com/Shadowserver/status/2050208472386396568
Disclosed on April 28, CVE-2026-41940 can be exploited using special characters in authorization headers to write parameters to session files, then trigger session reload to authenticate with injected administrative credentials. The vulnerability was likely exploited as a zero-day since late February, with activity spiking after public disclosure and technical details publication.
Rapid7 warned that roughly 1.5 million cPanel instances were accessible from the internet. The Shadowserver Foundation reported 44,000 unique IP addresses conducting scanning and exploit attempts against their honeypot sensors, though this number has since dropped significantly.
Most affected systems are located in the United States, with France and the Netherlands comprising the top three impacted countries. All cPanel versions after 11.40 are vulnerable, prompting urgent update recommendations to patch releases including versions 11.86.0.41, 11.110.0.97, 11.118.0.63, and others.
What This Means
These incidents illustrate the evolving ransomware landscape where traditional file encryption is increasingly supplemented or replaced by data theft and extortion tactics. The Canvas breach demonstrates how attacks on centralized platforms can create cascading disruptions across thousands of dependent organizations, amplifying impact beyond the initial target.
The MuddyWater campaign shows state actors adopting ransomware group tactics as cover for espionage operations, blurring lines between criminal and nation-state activities. This false flag approach complicates attribution and response efforts while providing plausible deniability for state sponsors.
The cPanel vulnerability exploitation highlights how quickly threat actors can weaponize disclosed vulnerabilities, with over 40,000 compromises occurring within weeks of public disclosure. Organizations must prioritize rapid patching cycles and maintain comprehensive asset inventories to defend against such large-scale automated attacks.
FAQ
How many schools were affected by the Canvas hack?
The ShinyHunters group claims over 8,800 schools were impacted by their breach of Instructure’s Canvas platform, though the exact scope remains unconfirmed. Major universities including Harvard, Columbia, and Georgetown sent alerts to students about the disruption.
What makes the MuddyWater campaign different from typical ransomware?
MuddyWater conducted espionage operations including reconnaissance and data theft but never deployed file-encrypting ransomware. Instead, they used Chaos ransomware artifacts as false flags to hide their state-sponsored Iranian activities while still attempting extortion.
How can organizations protect against cPanel exploitation like CVE-2026-41940?
Organizations should immediately update to patched cPanel versions (11.86.0.41, 11.110.0.97, 11.118.0.63, or later), follow cPanel’s compromise identification guidelines, and implement network segmentation to limit potential impact from compromised web hosting platforms.
Related news
Sources
- Iranian APT Intrusion Masquerades as Chaos Ransomware Attack – SecurityWeek
- Karakurt Ransomware Negotiator Sentenced to Prison – SecurityWeek
- Ransomware Group Takes Credit for Trellix Hack – SecurityWeek
- The Canvas Hack Is a New Kind of Ransomware Debacle – Wired
