Multicloud MSP company Rackspace on Tuesday confirmed that the suspicious activity in its Hosted Exchange environment was a ransomware incident.
In a post to its customers, Rackspace said it became aware of the suspicious activity last Friday on Dec. 2. The company has hired a leading cybersecurity firm to investigate and said it was too early to disclose what — if any — data was affected.
Based on the investigation to date, Rackspace said that this incident was isolated to its Hosted Exchange business. The company's other products and services are fully operational, and Rackspace has not experienced any impact to its Rackspace Email product line and platform.
SC Media's sister publication MSSP Alert reported that Rackspace is offering free Microsoft 365 subscriptions as a workaround to impacted customers. Moreover, Rackspace has mobilized 1,000 support professionals to help Hosted Exchange customers with the migrations to Microsoft 365 — but that migration process involves manual tasks that have frustrated some customers.
At this time, Rackspace said it was unable to provide a timeline for restoration of the Hosted Exchange environment. However, Rackspace said it was working to provide customers with archives of inboxes where available to eventually import over to Microsoft 365.
A cloud service provider’s reaction to an incident — regardless of how easy or difficult prevention was —defines the quality of the provider, said Davis McCarthy, principal security researcher at Valtix.
“Rackspace’s public timeline shows that within 24 hours of experiencing a service outage the cause was determined to be a security incident, confirming later that they contained the incident to the Hosted Exchange service,” said McCarthy. “Providing technical workarounds for impacted customers, bolstering support efforts, engaging with an incident response firm, and ultimately working to validate the depth of the compromise, demonstrates that they have an executable incident response plan.”
John Bambenek, principal threat hunter at Netenrich, added that modern ransomware attacks compromise two main tactics: the bulk encryption or destruction of data and wholesale data theft. For end customers, Bambenek said many will want assurance that data has not been stolen so they don’t see it for sale on the dark web in a month or two.
“Odds are, the wholesale data destruction/encryption didn’t happen because that would be readily apparent to everyone in the form of extended service unavailability,” Bambenek said. “Unfortunately, looking for data exfiltration will take some time to truly be certain as to what the answer is there.”