Backups are definitely helpful in ransomwares, but before systems can be restored and brought back online, victim organizations still need to assess the scope of the breach, find the initial access vector, identify compromised accounts, and evict the threat actor. That can take time.
I’m not certain, but it appears you’re giving Instructure a pass here, as if this is the first time they were hacked. But, it’s the second, by the same group.
As a parent of kids who are impacted by this, I’m not super concerned about the data being held for ransom, but I sure as fuck am concerned about how much it’s going to cost the district to move to another provider.
Not at all; standard IR procedure is scope -> containment -> eradication -> recovery. There is a fog right now; we don't know all the details. It seems to me that it's just as likely they weren't fully kicked out before or that the initial vulnerability wasn't remediated. You can't recover until the threat actor has been removed.
I don't have an opinion on Instructure (except as a parent generally hating the overall app-ization of education; fortunately our district switched away from Canvas a couple years ago), their cybersecurity posture, or this particular event. My only point is that even if backups exist, working through a ransomware attack often takes time.
Also, ransomware gangs often exfil the data and threaten to release it if the ransom is not paid--blackmail, of a sort. It depends on the company and the data set whether this is effective as a tactic. But when it is, backups don't help.
