Dive Brief:
- Rackspace, in the conclusion to its post-incident investigation, said the threat actor behind the December ransomware attack accessed the Personal Storage Table of just 27 of the company’s 30,000 Hosted Exchange customers, according to an update released Thursday.
- Rackspace said there is no evidence the attackers were able to obtain, view, disseminate or misuse any of the actual emails or data belonging to any of the 27 customers. The company notified those organizations that had been affected.
- More than half of its Hosted Exchange customers received some or all of their historical email from before the attack, but only 5% have actually downloaded the mailboxes that were sent.
Dive Insight:
Rackspace earlier this week confirmed that Play ransomware was the threat actor behind the attack. The attackers used an exploit associated with CVE-2022-41080 that used Outlook Web Access as an entry point.
The company said the investigation by CrowdStrike, as well as the FBI and other experts, indicated the attack was not related to widespread reports linking it to ProxyNotShell.
CrowdStrike researchers found the attackers, in an attack method dubbed OWASSRF, were going around prior mitigations developed by Microsoft to protect against ProxyNotShell.
Rackspace has not commented on whether any specific ransom was paid or whether it obtained a decryptor.
Most of Rackspace’s Hosted Exchange customers were small and medium-sized businesses, along with individual customers. The ransomware attack disrupted critical business emails for many customers, leading to consolidated class action litigation filed in U.S. District Court in Texas.
Executives at Clumio said last month the Rackspace attack helped underscore the need to change the way organizations store and protect data.
“Data protection and recovery need to keep up with the gigantic scale and speed of ingest, retrieval and backing up data continuously,” Woon Ho Jung, co-founder and CTO at Clumio said in a statement.
Rackspace said it will continue efforts to recover historical data and is developing an on-demand solution for customers who still want to download their data.
Rackspace does not plan to rebuild the Hosted Exchange environment and has been moving customers to Microsoft 365.
