Ransomware attack cited in outage
Rackspace eyes $30M revenue hit, suit over loss of email
Rackspace Technology Inc. on Tuesday blamed a ransomware attack for the outage that’s prevented its customers from accessing email for five days and was hit with a proposed classaction lawsuit over the security breach.
The Windcrest-based cloud computing company said last week’s cyberattack “may result in a loss of revenue for the Hosted Exchange business, which generates approximately $30 million of annual revenue.”
It said additional costs associated with its response to the incident are likely.
The company’s internal security team is working with an outside cyber defense firm to investigate the breach. It also said it has notified law enforcement of the attack.
“Based on the investigation to date, Rackspace believes that this incident was isolated to its Hosted Exchange (email service) business,” the company said. “Out of an abundance of caution, Rackspace has put additional security measures in place and will continue to actively monitor for any suspicious activity.”
Ransomware is malicious software designed to keep users from accessing their data or computer systems.
Attackers demand a ransom, often in cryptocurrency, in exchange for ending the blockage. They also often threaten to publicize private information contained in the attacked systems. Rackspace has not said whether it paid a ransom, how many customers are affected and when — or if — its Exchange platform will be restored.
It’s also unclear whether customers will eventually be able to access their archived email, a major point of concern for many affected businesses. Rackspace said its employees are “working to provide customers with archives of inboxes where available to import to Microsoft 365,” a spokesperson said.
Microsoft 365 is the email system to which Rackspace has been directing its customers since it shut down its hosted Exchange email platform early Friday.
Ahead of the company’s ransomware acknowledgment, Gateway Recruiting LLC and Garrett Stephenson, president of the New Braunfels-based executive recruiting firm, filed its
class-action lawsuit Monday evening in San Antonio federal court.
Stephenson accuses Rackspace of negligence, deceptive trade practices and breach of confidence, implied contract and implied covenant of good faith and fair dealing.
The company failed to safeguard his and other customers’ sensitive personal information and continuously provide email services, which upended their business operations, the lawsuit says.
Rackspace also did not properly communicate with customers about the situation, posting “opaque” updates on its website or responding “briefly and insufficiently” when contacted directly.
Customers’ data was compromised by “an undoubtedly nefarious third party that seeks to profit off this disclosure by defrauding” them “in the future.”
Stephenson and other classaction members allegedly “spent significant time and costs dealing with the consequences of the security incident,” according to the lawsuit.
They also “have anxiety and increased concerns for the loss of privacy” and the potential sale of their data.
The action seeks more than $5 million in damages and states there are more than 100 members in the proposed class.
Rackspace declined to comment on the lawsuit.
Cybercrimes rising
Ransomware attacks on local governments, businesses, schools and healthcare providers are proliferating.
San Antonio-area examples include last year’s attack against Judson Independent School District, which resulted in a payment to the hackers of more than a half million dollars to keep sensitive information from being uploaded to the dark web. The attack shut down the district’s phones, computers and emails for more than a month.
More recently, Disability Services of the Southwest said one or more “intruders” infiltrated its website Sept. 28 and may have gained access to information about as many as 4,000 current and former employees at its offices across the state. It said the breach occurred on the systems of Internap Holding Inc., which operated the nonprofit’s website at the time.
The FBI’S Internet Crime Complaint Center received 3,729 complaints about ransomware last year, with losses exceeding $49.2 million. The healthcare, financial services and information technology sectors had the most victims.
The agency said it does not recommend paying a ransom, because it could result in more attacks and does not ensure the victim’s data will be recovered.
To head off ransomware issues, the FBI encourages organizations to update their operating systems and software, offer training to employees, have an offline backup of data and secure and monitor remote desktop protocol.
It would not confirm or deny it is investigating the Rackspace attack.
Malware is easy to use and criminals do not need to spend their time and money developing it, said Elias Bou-harb, director of the Cyber Center for Security and Analytics at the University of Texas at San Antonio.
Off-the-shelf malware and ransomware are available, sometimes for free, from dark web marketplaces.
“They don’t need technical expertise,” he said of cyber criminals who might use such tools.
To help protect themselves, people should avoid clicking on links or opening attachments from unknown senders and remember to back up their data, Bou-harb said.
Timeline
Rackspace provided its first word on the situation early Friday, when it said it was “investigating an issue that is affecting our Hosted Exchange” email environments, referring to it as a “connectivity issue.”
That evening, the company said a “significant failure” that led it to shut down the system “to avoid any further issues.” By early Saturday, it said the outage had been caused by what it called a “security incident.” It later said there were no immediate plans to restore the hosted
Exchange service and directed customers to switch to Microsoft 365, which it said it is providing for free.
The outage has prevented customers from sending or receiving emails and accessing mailboxes. Some have complained of spending hours on hold waiting for customer service and difficulty moving their account to Microsoft 365 without support.
Rackspace said it has “surged support staff ” to help thousands of customers navigate the process. On Sunday, it said 1,000 employees were offering support to its affected customers and more were being added.
In its Tuesday morning update, Rackspace said it didn’t know what, if any, data in its Exchange systems was at risk.
“If we determine sensitive information was affected, we will notify customers as appropriate,” it said.
After falling more than 15 percent Monday, the value of shares in Rackspace continued falling Tuesday. They closed down another 15 cents, to $3.95.