Rackspace Ransomware Ruining Holiday Cheer

December 20, 2022

Corporate Complacency Make Hosted Clients Homeless for Holidays

Today as we rush to remember our friends family and colleagues with cards, gifts or a simple phone call, some Rackspace customers are being forced to deal with ransomware chaos. A gap in cyber resilience means victims and their vendors are having to scramble.

What Happened?

You may be aware of the ransomware breach two weeks ago at Rackspace NASDAQ: RXT, and the dramatic impact its having this holiday season on businesses who depend on Rackspace’s Hosted Exchange  (read details here). Rackspace hasn’t gotten much done since, promising desperate clients at year end that data recovery will start “soon.” They’ve tapped CrowdStrike to deploy Endpoint Detection & Response tools (EDR) and send an army to conduct a mountain of recovery-focused services to make up for massive cybersecurity oversight.

What Can Be Done?

Here’s a blurb of the process underway while clients desperately wait for full restoration;

Every device required “significant attention to examine and process it,” which the company said took a long time. “Following the manual removal of malicious files and additional scans to validate that each server was clean, we then released the servers with Falcon deployed on them into a clean environment and tagged them as ready for the next phase of the process.” The company then recovered the data on the process, and handed them over to CrowdStrike to validate.
“After the servers are cleared for extraction, Rackspace has created automation that opens the exchange database files and reviews the details of each individual PST file, then correlates it to a customer account,” the company said. “The correlated files are then routed to a staging environment, from which data will be extracted and released to customers by account.”
Rackspace warned that it could not promise that every PST file would be recoverable, as some of the files may corrupt.

Shouldn’t This Be Required?

Cyber insurers are increasingly demanding that EDR solutions be in place to qualify for coverage, and certified testing be done that demonstrates resilience to these breaches. Hosting companies, MSPs and IT companies supporting rackspace services are now swamped to help clients, spending up to 8 hrs/client to help them to simply restore email services. These services are not being provided by Rachspace, but are Microsoft 365 instances being resold inside a Rackspace sales portal.  Worse, it’s still not working properly for many, and the shit-show that is support has no handle on full recovery timelines, or if thats even possible.

Some Simple Takeaways;

  • Don’t Believe That Big Company Cloud Infrastructure is safe; Have a better strategy
  • Do independent backups regularly, independent of these vendors
  • Deploy EDR to avoid this chaos and maintain insurability.

Let TEKRiSQ  help you with these things if you’re not already secured. Happy Holidays.