Rackspace Ransomware Ruining Holiday Cheer

December 20, 2022

Corporate Complacency: Hosted Clients Homeless for Holidays

Today as we rush to remember our friends family and colleagues with cards, gifts or a simple phone call, some Rackspace customers are being forced to deal with ransomware chaos. A gap in cyber resilience means victims and their vendors are having to scramble. Rackspace ransomware ruined holiday cheer this year.

What Happened?

You may be aware of the ransomware breach two weeks ago at Rackspace NASDAQ: RXT. You may not know of the dramatic impact its having this holiday season on businesses who depend on Rackspace’s Hosted Exchange  (read details here). Rackspace hasn’t gotten much done since, promising desperate clients at year end that data recovery will start “soon.” They’ve tapped CrowdStrike to deploy Endpoint Detection & Response tools (EDR). They’ve sent a small army to spread holiday cheer. These happy elves will conduct a mountain of recovery-focused services to make up for massive cybersecurity oversight.

What Can Be Done?

Here’s a blurb of the process underway while clients desperately wait for full restoration;

Every device required “significant attention to examine and process it,” which the company said took a long time. “Following the manual removal of malicious files and additional scans to validate that each server was clean, we then released the servers with Falcon deployed on them into a clean environment and tagged them as ready for the next phase of the process.” The company then recovered the data on the process, and handed them over to CrowdStrike to validate.
“After the servers are cleared for extraction, Rackspace has created automation that opens the exchange database files and reviews the details of each individual PST file, then correlates it to a customer account,” the company said. “The correlated files are then routed to a staging environment, from which data will be extracted and released to customers by account.”
Rackspace warned that it could not promise that every PST file would be recoverable, as some of the files may corrupt.

Shouldn’t This Be Required?

Cyber insurers are increasingly demanding that EDR solutions be in place to qualify for coverage. Certified, regular testing and tabletop exercises be performed that demonstrates resilience to these breaches. Hosting companies, MSPs and IT companies supporting Rackspace services are now swamped helping clients. They’re spending up to 8 hrs/client to help them to restore email services. These services are not being provided by Rackspace. These are Microsoft 365 instances being resold inside a Rackspace sales portal.  Worse, it’s still not working properly for many. The shit-show that is support has no handle on full recovery timelines, or if thats even possible.

Some Simple Takeaways;

  • Don’t Believe Big Company Cloud Infrastructure is safe; Have a better strategy
  • Do independent backups regularly, independent of these vendors
  • Deploy EDR to avoid this chaos and maintain insurability.

Let TEKRiSQ  help you with these things if you’re not already secured. Happy Holidays.