How Did It Happen?

Customers of Rackspace Technology began encountering problems attempting to get into their Exchange environments on December 2.2022

Rackspace determined that this was a sufficient indication to begin an investigation, after conducting an initial analysis.  Moreover, it also validates the occurrence of a security issue.

Several days later, Rackspace Technologies declared that ransomware was the real problem. Along with the cause of the downtime that the users were facing.

Explaining the Rackspace Ransomware Incident

One particular kind of malware attack is ransomware, in which the attacker encodes:

• Target Informations
• Private Data
• Crucial Records.

Because the systems are protected, the victim must now pay the attacker to have their informations decrypted and made available once more.

This kind of cyberattack typically views every software flaw, network weakness, or human mistake as an entry point for infecting the target's devices or systems.

A computer, printer, point-of-sale terminal, smartwatch, smartphone, or any other endpoint can be one of these devices.

Ransomware operates in multiple stages, typically involving a six-stage attack.

1. Infection: Once an entry vector is located. The ransomware is downloaded and makes its way onto the target's system or device.

2. Execution: The ransomware is used by the attacker to locate and map the compromised system. Certain ransomware strains can also identify and encrypt backup files and folders.

3. Encryption: At this point, access to every file found in the earlier stage is restricted and encrypted.

4. User Notification: The attacker includes a ransom note, which is a file with instructions for paying the ransom.

5. Payment: In order to restore access, the victim must adhere to the payment guidelines.

6. Decryption: Although this may not always be the case. The victim receives the decryption key after money is received.

The Effects of This Attack

According to a statement from Rackspace Technology, the ransomware only affected and brought down their Presented Exchange deployments; other facilities, including their email product line and infrastructure, remained operational.

Although having that information, they remain to claim that they are unable to say at this stage of the investigation whether any sensitive or customer data was stolen. As a result, they cannot affirm that there are no signs of data theft at this time.

But because of the attack's nature, scammers are posing as the Rackspace Support Team. Also, phishers are taking benefit of the circumstances to target Rackspace customers.

Users of Rackspace were alerted to remain watchful and refrain from divulging personal information over the phone. Keep an eye out for questionable activity on their credit reports and bank account statements.

In addition, Rackspace announced that they will lose money from the Hosted Exchange division, which is expected to have brought in $30 million annually.

How Did Rackspace Get Affected by the Ransomware Attack?

Cyber safety experts generally claim that unpatched software was the cause of the attack. Even though Rackspace has not released a statement of confirmation.

Specifically, security researcher Kevin Beaumont explained in detail on his Medium blog. The Exchange Cluster at Rackspace was running an outdated build version. Which was issued prior to a patch for the ProxyNotShell vulnerability.

According to Mr. Beaumont's research, if an MSP is operating a shared cluster, like Hosted Exchange, then it might potentially jeopardize the entire hosted cluster if a single customer's account is compromised.

Although, it’s unclear if this was the attack's point of entry, but it's still possible. Rackspace contracted ransomware as a result of unpatched software.

How Can This Attack Be Avoided?

Ransomware attacks occur in phases, and if an effective intrusion detection system is in place, the victim, if not already, will be able to identify the attack while it is happening because of signs of the attacker moving laterally through the network.

Patching the various systems' software versions is also a crucial step that lowers the possibility that an attacker will find an entry point more quickly.

In addition, there are a number of other ways that enterprises can guard against becoming targets of a ransomware attack, including hardening endpoints, keeping backups, and network segmentation.