Rackspace says it is making good progress on its investigation and remediation of a ransomware attack that crippled its Hosted Exchange business, and is still engaged in actively transitioning affected customers onto Microsoft Office 365 – but some users say they are seeing issues that may indicate their data has been compromised.
In a new update posted before the weekend of 10-11 December, Rackspace said it had been able to contain the incident quickly and limit it to the Hosted Exchange Email business, which represents about 1% of its total annual revenue and is used mostly by small and medium-sized enterprises (SMEs) and small and home office (Soho) users.
“Our information security team had strong incident response protocols in place that led to the quick containment of the ransomware attack,” said Rackspace chief product officer Josh Prewitt. “We invest time and resources in cyber security – we take our processes and procedures very seriously around cyber threats. This is why other parts of our business, and the vast majority of our customers, were not affected in any way by the incident and remain secure and fully operational.”
The ongoing investigation, which is being led by CrowdStrike, is focused on “understanding root cause and implementing additional security measure to defend against future cyber attacks”, said the firm. In the meantime, it is ploughing resources into the Microsoft Office 365 migration and has enlisted surge staff and brought in a fast-track team from Microsoft to assist in the process.
“We are a customer-first organisation and sincerely apologise for the disruption this incident has caused those customers who utilise our Hosted Exchange email services,” said Prewitt.
“We have prioritised getting our customers back on email and have surged our staff and been working around the clock to support them in this transition. We have made significant progress getting customers back on email and will continue to focus our efforts to support customers and get them on email as soon as possible.
“We are continuing to work on data recovery, which we know is very important to our customers. Rackspace understands the importance of addressing this incident and we have prioritised communication with customers, exploring every potential avenue to reach them, share the information that is known and, most importantly, get them access to email.”
In its most recent updates over the weekend, Rackspace claimed that “a little more than two-thirds” of its Hosted Exchange customers were back on email. It refused to say whether or not it had paid a ransom.
But one UK-based user, who requested anonymity, said she had been unimpressed with the firm’s response.
“There has been absolutely nothing in the UK about the problems,” she said. “It has been a complete nightmare – I’m having to resort to Twitter to see what is happening – and I am in the same position I was at 7.30am on 2 December.
“Apart from not being able to use my Exchange account – which I use for everything, including my small ‘one man band’ business – I noticed that all my emails from 24 November had lost their content.”
The user added that while Rackspace had not been in touch regarding her inability to access her Exchange account, it had been “very much on point” with its December invoice.
The customer also told Computer Weekly that 10 days before the incident, she had received a phishing email originating from a domain registered in Guyana in South America, which claimed to be from Rackspace and threatened her with disconnection from her Hosted Exchange account if she did not migrate to Office 365.
Although this could be an opportunistic phishing attack, and using the lure of a Microsoft Office 365 migration is almost certainly coincidental given the email’s timing, the possibility that customer data could have been exfiltrated and used or sold on by the as yet-undisclosed ransomware crew behind the attack cannot be ruled out.
It is not uncommon for threat actors, in particular ransomware operators, to spend lengthy periods of time inside victim environments establishing persistence, performing reconnaissance and stealing data.
Computer Weekly contacted Rackspace to discuss the customer’s case, but the organisation had not responded at the time of writing.
Until it is confirmed otherwise, Rackspace users should be alert to the possibility that they may be targeted by the same group that attacked Rackspace itself, or other, opportunistic threat actors trying to muscle in on the action. Exploiting high-profile incidents is a well-used social engineering tactic in cyber attacks.
SME users can access more in-depth guidance from the UK’s National Cyber Security Agency.