🚨 Ransomware Onslaught: ShinyHunters Targets Canvas LMS, Disrupting Wits and SA Peers
The higher education sector in South Africa has been thrust into turmoil following a massive ransomware attack orchestrated by the notorious cyber extortion group ShinyHunters. The breach targeted Instructure, the American company behind the widely used Canvas Learning Management System (LMS), affecting thousands of institutions globally, including prominent South African universities and colleges. At the epicenter is the University of the Witwatersrand (Wits), whose Ulwazi platform—powered by Canvas—went offline, leaving students and lecturers in limbo during a critical academic period.
This incident underscores the escalating cyber threats facing South African higher education institutions, where outdated systems and reliance on third-party vendors expose sensitive student data to ruthless hackers. As institutions scramble to restore services, the attack raises pressing questions about digital resilience in an era of hybrid learning.
Timeline of the Canvas Catastrophe
The attack unfolded rapidly. On April 30, 2026, ShinyHunters infiltrated Instructure's systems, exfiltrating 3.65 terabytes of data. By May 1, Instructure acknowledged unauthorized access but claimed resolution. However, on May 7, users logging into Canvas portals worldwide, including Wits' Ulwazi, were greeted with a defacement message from the hackers: "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’." The group demanded private negotiations via Tox by May 12 or threatened mass data leaks.
In South Africa, Wits students awoke on May 8 to a maintenance screen on Ulwazi, halting access to course materials, assignments, and grades. Similar disruptions hit other Canvas-dependent platforms, amplifying panic as semester deadlines loomed.
South African Institutions in the Crosshairs
ShinyHunters published a list of nearly 9,000 affected entities, spotlighting several South African higher education players:
- University of the Witwatersrand (Wits): Ulwazi LMS crippled, impacting over 30,000 students.
- Stadio: Higher education provider with multiple campuses nationwide.
- Milpark Education: Business school reliant on Canvas for online delivery.
- Invictus Education Group: Network of institutions offering vocational and degree programs.
- SPARK Schools: Although K-12 focused, highlights broader edtech vulnerability spilling into higher ed ecosystems.
Wits stands out as the sole major public university explicitly named, but experts warn other SA institutions using Canvas could be silently compromised.
Data at Stake: What Hackers Stole and Why It Matters
The breach compromised "certain identifying information," including names, email addresses, student ID numbers, and private messages exchanged on Canvas. No passwords, financial details, or government IDs appear affected, per Instructure. Yet, for South African users, this trove enables phishing, identity theft, and targeted scams—prevalent in a country where cybercrime costs billions annually.
Student messages often contain personal discussions, grades, or sensitive academic info, turning everyday chats into extortion fodder. With 275 million records globally, SA's share—potentially thousands from Wits alone—amplifies risks for vulnerable students from low-income backgrounds reliant on digital access.
For deeper insights into ransomware tactics, Wits' own analysis explains encryption and recovery challenges.
Immediate Fallout: Classrooms in Chaos
At Wits, the outage derailed lectures, submissions, and assessments. Lecturers pivoted to email and alternative tools, but hybrid learners in rural areas suffered most due to connectivity issues. Stadio and Milpark reported similar disruptions, delaying administrative tasks like registrations.
Globally, US universities faced finals chaos; in SA, mid-semester pressures compounded stress. Financially, downtime costs run high—Sophos reports SA ransomware victims lose millions in recovery, with 71% paying ransoms despite risks.
Institutional Response and Recovery Efforts
Wits swiftly isolated Ulwazi, displaying a maintenance notice while investigating with Instructure. By late May 8, partial restoration occurred, but full audits continue. Instructure engaged forensics, enforced multi-factor authentication (MFA), and urged API key rotations.
Stadio and others mirrored this: system lockdowns, user notifications, and cyber firm consultations. No SA institution confirmed ransom payments, aligning with global no-pay policies to avoid fueling attacks.
For recovery best practices, Check Point highlights education's expanded attack surface via routers and VPNs.
SA Higher Ed's Cyber Vulnerability Exposed
South Africa's universities face 2,000+ weekly attacks, per Check Point, with education a top target alongside government. Legacy systems, underfunded IT, and third-party dependencies like Canvas amplify risks. Wits' prior brushes—Clop in 2025, Oracle zero-day in Oct 2025—signal systemic issues.
Tshwane University of Technology's 2024 ransomware stole thousands of records; Stats SA's March 2026 breach leaked jobseeker data. Interpol notes ransomware's African surge, with SA detecting 12,281 incidents in 2024 alone.
Stakeholder Perspectives: Students, Staff, and Experts Weigh In
Students decry disrupted learning: "Exams pending, no access—frustrating," tweeted a Wits undergrad. Lecturers lament unprepared classes. USAf (Universities South Africa) calls for unified defenses, echoing Parliament's scrutiny on foreign hires amid security gaps.
Experts like Wits' Thembekile Olivia Mayayise stress governance: "Ransomware isn't just technical—it's a boardroom priority." Palo Alto Networks praises Wits' AI defenses but notes human error's role.
Pathways to Resilience: Lessons and Actionable Steps
To fortify SA higher ed:
- Implement zero-trust architecture and MFA universally.
- Conduct regular vulnerability scans and vendor audits.
- Train staff/students on phishing via simulations.
- Diversify LMS providers; build backups offline.
- Collaborate via USAf for shared threat intel.
Government mandates like POPIA compliance and DCDT funding could bridge gaps. IT-Online outlines SA unis' strategies, from AI monitoring to insider threat programs.
Photo by David Pupăză on Unsplash
Future Outlook: Navigating a Hostile Cyber Landscape
With AI-driven attacks rising—Check Point logs 36% YoY surge—SA unis must invest proactively. NSFAS reforms and digital skills pushes offer synergies, but underfunding persists. Positive note: Wits' Palo Alto partnership blocks zero-days effectively.
As May 12 nears, no leaks yet, but vigilance is key. This breach catalyzes reform, positioning SA higher ed stronger against tomorrow's threats.
Students and academics: Monitor credits, enable MFA, report phishing. Institutions: Prioritize cyber in budgets. Together, secure knowledge's future.