Rackspace confirms ransomware attack behind days-long email meltdown
Hope the name Hackspace doesn't stick
Updated Rackspace has admitted a ransomware infection was to blame for the days-long email outage that disrupted services for customers.
The security snafu took down some of Rackspace's hosted Microsoft Exchange services on Friday afternoon. In its most recent update, posted at 0826 Eastern Time on Tuesday, Rackspace said it has now "determined this suspicious activity was the result of a ransomware incident," and has hired a "leading cyber defense firm to investigate."
The company hasn't yet determined what customer data was touched. "If we determine sensitive information was affected, we will notify customers as appropriate," it added.
Rackspace reiterated that the intrusion was isolated to its hosted Exchange businesses, and noted no impact to Rackspace Email and its other products.
As it has in previous updates, Rackspace urged customers to migrate their users and domains to Microsoft 365, and admitted it doesn't have a timeline for restoring the hosted Exchange email services. An earlier update posted on Monday claimed to have helped "thousands of customers move tens of thousands of users" to Microsoft 365.
- Rackspace customers rage as email outage continues and migrations create migraines
- Rackspace rocked by 'security incident' that has taken out hosted Exchange services
- Hive ransomware crooks extort $100m from 1,300 global victims
- FBI warns about Cuba, no, not that one — the ransomware gang
Rackspace declined to answer The Register's questions about how many customers were affected, who is responsible for the ransomware attack, how they breached the network, or the payment demanded, among others.
In an emailed statement, the spokesperson repeated much of what has already been said in the incident report:
On Friday, December 2nd, Rackspace detected suspicious activity on its Hosted Exchange environment. Upon discovery, Rackspace immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident, working alongside industry-leading third-party cybersecurity experts.
The ongoing investigation has determined the activity to be the result of ransomware. Our technical teams are working diligently to help affected customers migrate to a new environment as quickly as possible. Based on the investigation to date, we believe that this incident was isolated to the Hosted Exchange business.
The Company's other products and services are fully operational, and we have not experienced an impact to our Rackspace Email product line and platform. Out of an abundance of caution, we have put additional security measures in place and will continue to actively monitor for any suspicious activity.
However, the spokesperson did clarify a point from a press release issued today about the ransomware attack that indicated the incident may result in a loss of revenue for its hosted Exchange biz, which Rackspace said brings in about $30 million annually. The press release also noted that the company may be on the hook for "incremental costs" related to incident response.
These costs will not be passed on to Rackspace customers, according to the spokesperson. ®
Updated to add
A California legal firm has now announced it will be taking action against Rackspace on behalf of users.
"That Rackspace offered opaque updates for days, then admitted to a ransomware event without further customer assistance is outrageous," says Scott Cole, the principal attorney at Cole Van Note.
"Despite hundreds of data breaches every year in this country, I am receiving reports of vulnerabilities in Rackspace's hosting environment that go back over a year. That, and a seeming lack of backup protocols is why a lawsuit like this is critical."
The lawsuit, Stephenson, et al. v. Rackspace Technology, has been filed in the Western District of Texas.