Rackspace outage caused by known ransomware group

A “known ransomware group” is behind an attack that forced Rackspace Technology Inc. to shut down a chunk of the cloud computing company’s services 11 days ago.

In the first interviews since the attack was reported, company executives and an external adviser working on the response said they expected their investigations to be completed this week and that they’re still trying to restore customers’ data. That includes archived email, contacts and calendar items that had been saved in Rackspace’s hosted Exchange system.

The company has not identified the attackers, disclosed what they were seeking or said whether Rackspace is paying a ransom to have access to the information returned.

“We’re not talking about the ‘who’ right now, because we’re working with the FBI and because the investigation is ongoing,” said the adviser, who spoke on condition of anonymity. But he described it as “a criminal, financially motivated group — a known ransomware group.”

On ExpressNews.com. Rackspace’s reputation taking a hit as response to ransomware attack falls short of customers’ hopes

Chief Security Officer Karen O’Reilly-Smith also said the company has notified the FBI of the breach. The agency declined to confirm or deny that it is investigating.

Rackspace also hired Austin-based cybersecurity firm CrowdStrike and has determined that the breach is isolated to its Exchange business and no other products or customers are affected.

It is unknown whether Rackspace will shut down the hosted Exchange business line, said Chief Product Officer Josh Prewitt. The business generates about $30 million in annual revenue, about 1 percent of Rackspace’s total annual revenue. Over the past year, Prewitt said, the company had discussed eventually moving those customers to Microsoft 365, the Rackspace competitor’s service to which customers have been directed during the outage.

“It’s still TBD,” Prewitt said. “Right now, the main priority is how do we get customers’ data back in their hands?”

‘That’s what matters’

Earlier in the outage, customers described hours spent on hold waiting for customer service, difficulty understanding the instructions for moving to Microsoft 365 and poor communication by Rackspace. Some said they plan to cancel; some have filed class-action lawsuits.

The response was slower than Rackspace wanted because it took time to train employees on how to help customers and “surge” staffing levels, Prewitt said. By Dec. 4, the company said more than 1,000 employees were working with customers, and later last week said it had teamed up with Microsoft’s team to reduce the long wait times.

Over the weekend, Rackspace said two-thirds of its customers were able to send and receive emails again through Microsoft 365. By early Monday afternoon, Prewitt said, there was no queue of customers waiting for help.

He declined to specify how many customers were affected.

“As long as it’s more than one, that’s what matters,” Prewitt said. “We’re continuing to keep all of our support teams surging and staffed so we can drive this hold time down.”

Rackspace has said it became aware of problems with its hosted Microsoft Exchange platform early Dec. 2, when clients said they were having problems sending and receiving emails. Many of the affected customers are small- and medium-sized businesses, which use Exchange for email, calendar and contact functions.

Rackspace initially said it was investigating “connectivity and login issues.” Hours later, it said a “significant failure” led it to shut down the system.

The company then directed customers to move to Microsoft 365 — but starting from scratch without archived email or other information.

“We made the decision that what matters is taking care of our customers and helping our customers get access to be able to send and receive email,” Prewitt said. “It was a no-brainer to say, ‘Hey, the right thing for customers is for us to encourage them to move to Microsoft 465.'”

Early Dec. 6, Rackspace said it had determined a ransomware attack caused the outage.

In such an attack, malicious software is used to deny access to computer systems or data until a ransom is paid. Attackers usually demand payment in the form of cryptocurrency in exchange for releasing the files and systems.

Generally, victims of ransomware attacks are advised not to pay a ransom. The FBI says doing so could result in more attacks and does not ensure the data will be recovered.

Prewitt said Rackspace is being careful about what it shares with the media and shareholders about the attack.

“We don’t want to walk back anything,” he said.

Archives:

One of customers’ chief concerns is accessing years of archived emails. Some customers also subscribe to the company’s email archiving service, Prewitt said, and received instructions on how to retrieve the archive.

Another option is figuring out if customers access their email via a mobile app or a computer storing local backup copies, and showing them how to export it.

A third option is seeing whether they previously set up mail rules, such as forwarding a copy of their emails to another account.

Prewitt estimated that more than three-fourths of customers now have access to their data through one of those channels.

“If they strike out, we try all three of those and none work, then we’re working with customers to be able to restore data as quickly as possible,” Prewitt said. “We don’t have a timeline on when that’s going to happen.”

Prewitt rejected the notion advanced by some customers and former Rackspace employees that layoffs at the company have affected the company’s security or slowed down its response to the attack. The company has about 7,000 employees, he said, which is more than when he joined the company nearly 13 years ago.

Other breaches?

Leaders in San Antonio’s tech community have also said that the company has previously been hit by major cyber attacks. O’Reilly-Smith said it “has sustained no significant cyber breach” since she joined the company in June 2019.

Some incidents do not rise to the level of needing to be reported to regulators, the company’s outside adviser said. Rackspace reported the attack in filings with the US Securities and Exchange Commission.

“Incidents occur every day, every day at every company. There isn’t a company that doesn’t have to deal with incidents on an ongoing basis,” he said. “There’s some things that occur in an environment that literally will happen and doesn’t impact anyone. If you’ve got into a place where everybody’s reporting about this all the time, they would never stop.”

Why did Rackspace report this attack? The executives and adviser said it was because this one “had an operational impact and we immediately needed to go out and tell our customers, help our customers move, assist the customers.”

Rackspace has insurance covering cyberattacks and Prewitt said the financial hit from the attack is expected to be “very small.”

madison.iszler@express-news.net