Rackspace Says Ransomware Behind Ongoing Exchange Outages

Rackspace on Tuesday confirmed a ransomware attack is behind ongoing service disruptions for its Hosted Exchange customers. It expects revenue losses in its Hosted Exchange business as a result of the attack.

The Rackspace outage put thousands of email users offline over the weekend

In a new blog, Rackspace provided more details of the ransomware attack.

“Alongside the Rackspace internal security team, the company has engaged a leading cyber defense firm to investigate,” it said. “Immediately upon detecting the incident, the company took proactive measures to isolate the Hosted Exchange environment to contain the incident.”

Rackspace Ransomware Attack Isolated to Hosted Exchange Business

Based on the investigation to date, Rackspace believes that this incident was isolated to its Hosted Exchange business. Its other products and services are fully operational. It addition, it hasn’t experienced an impact to its email product line and platform.

Out of an “abundance of caution,” Rackspace said it has put additional security measures in place and will continue to actively monitor for any suspicious activity.

Rackspace is in ongoing communication with Hosted Exchange customers to help them migrate to a new environment. In addition, Rackspace has increased support staff and will be taking additional steps to help guide customers through this process in order to limit the impact to their own operations.

At this time, Rackspace is unable to provide a timeline for restoration of the Hosted Exchange environment.

“Although Rackspace is in the early stages of assessing this incident, the incident has caused and may continue to cause an interruption in its Hosted Exchange business and may result in a loss of revenue for the Hosted Exchange business, which generates approximately $30 million of annual revenue in the apps and cross platform segment,” it said. “In addition, Rackspace may have incremental costs associated with its response to the incident.”

Incident Response Defines Quality of Provider

Valtix’s David McCarthy

Davis McCarthy is principal security researcher at Valtix.

“A lot of trust is given to cloud service providers and their reaction to an incident, regardless of how easy or difficult prevention was, defines the quality of the provider,” he said. “Providing technical workarounds for impacted customers, bolstering support efforts, engaging with an incident response firm, and ultimately working to validate the depth of the compromise, demonstrates that they have an executable incident response plan.”

Netenrich’s John Bambenek

John Bambenek is principal threat hunter at Netenrich.

“Modern ransomware attacks compromise two main tactics, the bulk encryption or destruction of data and wholesale data theft,” he said.

End customers want assurance that data has not been stolen, Bambenek said. That’s so they don’t see it for sale on the dark web in a month or two.

“Odds are, the wholesale data destruction/encryption didn’t happen because that would be readily apparent to everyone in the form of extended service unavailability,” he said. “Unfortunately, looking for data exfiltration will take some time to truly be certain as to what the answer is there.”