Rackspace revealed on Thursday that the attackers responsible for last month’s incident gained access to some of its clients’ Personal Storage Table (PST) files. PST can contain a variety of information such as emails, calendar information, contact information, and activities. Thus, the Rackspace had a ransomware attack.
This update brings after Rackspace affirmed that the Play ransomware operation was responsible for the December cyberattack. The attack dragged down its hosted Microsoft Exchange environment.
The attackers managed to gain access to the personal storage directories of 27 Rackspace customers. According to the now-completed examination conducted by cybersecurity firm Crowdstrike.
Nevertheless, the company added that there was no evidence that they viewed or misused the components of the accessed backup files.
“Of the nearly 30,000 clients on the Hosted Exchange email environment at the moment of the attack. The forensic examination ascertained the threat actor obtained a Personal Storage Table (‘PST’) of 27 Hosted Exchange customers”. Rackspace said in an incident notification update shared ahead of time with BleepingComputer.
“We have already proactively communicated our findings to these customers,” Crowdstrike says. Most importantly, there is no evidence that the threat actor regarded, acquired, misappropriated, or distributed any of the 27 Hosted Exchange customers’ email messages or data in the PSTs in any way.
Clients who weren’t grid connected by the Rackspace team can be confident that the threat actor did not access their PST data.
While RackSpace claims there is no evidence that malicious actors made available customer information. In the past has been shown that this is not always the case.
Furthermore, even if the data is not divulged if a ransom has been paid or for other reasons, it is overwhelmingly probable that customer data was regarded during the attack.
Clients who are affected can install some recovered PST data.
Rackspace has been offering affected customers free licenses to migrate their email from its Hosted Exchange platform to Microsoft 365 as of uncovering the attack on December 2 and verifying the eventual results outage was caused by a ransomware attack.
Through an automated queue, the cloud computing provider also offers affected users with download section to manage to recover historic mailbox data (actually contains email messages prior to December 2) via its customer portal.
“As a reminder, we are preemptively notifying customers who have had more than 50% of their mailboxes recovered,” the company said.
“We will continue to work to recover as much data as possible as planned. But in the meantime, we are continuing to develop an on-demand solution for clients who still want to download their data. The on-demand solution should be accessible within two weeks.”
Earlier today, a Rackspace spokesperson said that the email data has been restored from Rackspace backups or using a decryption technology arena by the Play ransomware attackers. When we receive an answer, we would then update the article.
Rackspace announced today that its Hosted Exchange environment would be phased out, stating that it had planned to migrate customers to Microsoft 365 prior to the December ransomware attack.
“Finally, as a going forward service offering, the Hosted Exchange email atmosphere will not be rebuilt,” Rackspace said.
“Even before the recent security incident, the Hosted Exchange email environment was scheduled for migration to Microsoft 365, which has a more adaptable pricing model and more modern features and functionality.”