Rackspace Technology has restored email to more than three-quarters of its Hosted Exchange customers almost two weeks after a ransomware attack knocked systems offline, executives said Thursday.
While the investigation is nearly complete, officials pushed back on reports the Dec. 2 ransomware incident was related to ProxyNotShell vulnerabilities.
“We don’t have a definitive answer of how the threat vector came in,” Chief Security Officer Karen O’Reilly-Smith told Cybersecurity Dive.
Security researcher Kevin Beaumont earlier this month claimed the company may have been using an outdated build environment, and therefore was vulnerable to ProxyNotShell.
Rackspace officials confirmed they are aware of the widespread speculation, but do not believe there is any link to ProxyNotShell.
O’Reilly-Smith and Chief Product Officer Josh Prewitt defended the company’s response to the attack, which officials earlier this week said was financially motivated.
Rackspace received a ransom note from the attackers, according to O’Reilly-Smith, but executives would not divulge any details of the request, or whether the company agreed to pay.
O’Reilly-Smith and Prewitt said the attack was limited to the Hosted Exchange environment and the attackers may have been able to access whatever data was included in those emails. Hosted Exchange business represents 1% of the company’s total revenue, the company said in a recent 8-K filing with the Securities and Exchange Commission.
First notice
Rackspace first learned of the incident on Dec. 2 after customers notified it of not being able to access their emails.
It started early Friday morning, O’Reilly-Smith said. The incident response team was contacted and after an analysis they realized it was more than a connectivity issue. Then the security operations team was contacted, which determined it was more than just an issue with a tool.
“The first thing they do is triage. Is it a tool, is it a connectivity issue? Then they decided it was bigger than that,” O’Reilly-Smith said.
Rackspace then contacted CrowdStrike, outside legal experts and local law enforcement. The company has had regular engagement with the San Antonio office at the FBI and reached out to them as well.
Rackspace is not new to cybersecurity governance, O’Reilly-Smith said. The leadership at Rackspace is well versed in cybersecurity governance and incident response issues, she said.
The CSO said she updates the executive leadership team weekly and meets with the company board at least twice a year. “There’s quite a few people on the board that are technically savvy,” she said.
As previously reported, the company is currently facing a consolidated class action lawsuit in the U.S. District Court in San Antonio, alleging it failed to protect sensitive data. The company could also likely face scrutiny from other state regulators about its response to the attack.
The FBI worked closely with the company on how to assess the situation, and provided guidance on how to respond to the threat.
Rackspace said customers that have been moved to Microsoft 365 will remain on the cloud platform and not go back to the Hosted Exchange environment. The company is also working to help customers regain access to old emails, which are archived through a relationship with Barracuda, or can be backed up locally.
CrowdStrike officials declined to comment, citing the active investigation.