Ransomware gang Play accessed the Personal Storage Tables for 27 of Rackspace's Hosted Exchange customers, according to a Thursday evening update from the cloud provider.
This disclosure marks the second time this week that Rackspace provided key new information regarding the ransomware attack it suffered last month. The cloud provider on Tuesday told TechTarget Editorial via a statement that a newly discovered exploit chain, referred to as "OWASSRF," was responsible for the attack and that the threat actor behind the attack was ransomware group Play. The exploit chain was discovered by CrowdStrike, which assisted Rackspace with its incident response.
Thursday's status update marked the completion of the forensic investigation and provided additional information about what data was and was not accessed by Play. Rackspace said the threat actor accessed the Personal Storage Table (PST) of 27 Hosted Exchange customers, out of the 30,000 that used Rackspace's hosted environment at the time of attack.
"We have already communicated our findings to these customers proactively, and importantly, according to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused, or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way," the update read. "Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor."
It also noted that "no other Rackspace products, platforms, solutions, or businesses were affected or experienced downtime due to this incident."
TechTarget Editorial asked Rackspace if it paid a ransom to Play as part of its incident response efforts, but the cloud provider declined to comment.
Rackspace also provided an update to its Hosted Exchange service, which has remained inaccessible to customers since the ransomware attack occurred in early December. As part of its response efforts, Rackspace began to migrate customers from a Hosted Exchange environment to Microsoft 365. According to the update, the Hosted Exchange environment "will not be rebuilt as a go-forward service offering."
Instead, the provider will continue a permanent migration to Microsoft 365, which it said "had already been planned" prior to the attack. Rackspace cited 365's flexible pricing model and modern feature set, and added that there will be no price increase for customers that "choose to move to Microsoft 365 and select a plan with the same capabilities as they currently have." Rackspace email will also continue to exist as an alternative for customers.
Rackspace said it is continuing the ongoing process for recovering customers' historical email data.
"As of today, more than half of impacted customers have some or all of their data available to them for download," the status update read. "However, less than 5% of those customers have actually downloaded the mailboxes we have made available. This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data."
In parallel, Rackspace said, it is developing an "on-demand solution" for customers that wish to download their data. The cloud provider said it expects the offering to be available within two weeks.
Alexander Culafi is a writer, journalist and podcaster based in Boston.