> It's interesting that it's the universities being ransomed, while the technical failure was Instructure's.

My guess would be they get likelihood of getting paid when blackmailing 9,000 schools (at least a few would pay up) than blackmailing Canvas/Instructure.

I don't think any SLA/terms would change who gets to feel the pain.

My guess is that they believe by maximizing their attack coverage, the odds are greatest that some of the institutions will pay up. And otherwise, they can still make a bit of money by selling the data.

Don't ransom all your eggs in one basket