Rackspace: Ransomware attacks on customer email data

Rackspace announced on Thursday that the attackers responsible for last month’s attack accessed some customers’ Personal Storage Table files (PST). These files can include emails, calendar data and contacts as well as tasks.

This update is coming after the Play ransomware operation behind the December cyberattack on its Microsoft Exchange hosted environment.

The attackers were able to access the personal storage files of 27 Rackspace customers, as revealed by Crowdstrike’s now-completed investigation.

The company stated that it has no evidence to suggest that the employees viewed or misappropriated the backup files.

Rackspace shared an incident update with BleepingComputer that stated “Out of nearly 30,000 Hosted Exchange customers at the time, the forensic investigative determined the threat actor accessed the Personal Storage Table [‘PST) of 27 Hosted Exchange customers.”

Crowdstrike has not found any evidence to suggest that any threat actor viewed, obtained or misused any email or data of any 27 Hosted Exchange customers in the PSTs. We have communicated these findings to them proactively.

Rackspace can assure customers who weren’t contacted by their Rackspace team directly that they were safe and secure with PST data.

RackSpace claims there’s no evidence to suggest that threat actors have accessed customer data. However, historical records show that it isn’t the case.

It is possible that the customer’s data were at least seen during the attack, regardless of whether a ransom was paid.

Clients affected by the disaster can retrieve some PST data

December 2, and that the outage was due to a ransomware threat, Rackspace offered affected customers free licenses for migrating their email to Microsoft 365.

Cloud computing service provider provides affected customers with via its customer portal. This is done through an automated queue.

The company stated that it was reminding customers who have lost more than half of their mailboxes.

We will keep working as normal to recover data. However, parallel to that, we are creating an on-demand option for customers who still want to access their data. The on-demand option should be ready within the next two weeks.

BleepingComputer questioned a Rackspace spokesperson about whether the email data was being restored using Rackspace’s backups, or through the use of the Play ransomware attack tool. When we get an answer, the article will be updated.

Rackspace stated in the today’s update, that their Hosted Exchange environment will be shut down. It also said that they were already planning on migrating customers to Microsoft 365 before December ransomware attacks.

Rackspace stated that the Hosted Exchange email environment would not be rebuilt in order to offer a new service.

“Even before the security breach, migration of the Hosted Exchange environment to Microsoft 365 was planned. This new pricing model is more flexible and offers more functionality.