Play Ransomware Gang Responsible for Rackspace Hosted Exchange Attack

A threat actor known as Play launched last month’s ransomware attack on Rackspace. Service disruptions knocked thousands of its Hosted Exchange customers offline.

In its latest update, Rackspace said the forensic investigation into the attack is now complete. It worked with CrowdStrike, other cybersecurity experts and federal authorities to finalize the investigation.

Play used a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.

“Of the nearly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined the threat actor accessed a personal storage table (PST) of 27 Hosted Exchange customers,” Rackspace said. “We have already communicated our findings to these customers proactively.”

CrowdStrike said there’s no evidence the threat actor viewed, obtained, misused or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers.

Impact of Rackspace Attack Limited to Hosted Exchange

No other Rackspace products, platforms, solutions or businesses were affected or experienced downtime due to this incident, the company said.

More than one-half of impacted customers have some or all of their data available to them for download.

“However, less than 5% of those customers have actually downloaded the mailboxes we have made available,” it said. “This indicates to us that many of our customers have data backed up locally, archived or otherwise do not need the historical data. We will continue working to recover all data possible as planned. However, in parallel, we are developing an on-demand solution for those customers who do still wish to download their data. We expect that the on-demand solution will be available within two weeks.”

Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365. It has a more flexible pricing model, as well as more modern features and functionality, Rackspace said.

“Also, Rackspace Email continues to be unaffected and is an alternative option for customers who do not wish to migrate to Microsoft 365,” it said.