Rackspace says customers will start getting access to ransomware-hit data within days
SAN ANTONIO – As it entered the third week of an email service outage caused by a ransomware attack, Rackspace Technology Inc. On Friday, it said it would begin restoring customers’ access to their data within the next two days.
“We have a very high degree of confidence that the vast majority of customers will be able to recover their data,” Chief Product Officer Josh Prewitt said in an interview.
The San Antonio cloud computing company’s hosted Exchange customers have been without access to their email accounts, contacts and calendars since the Dec. 2 attack.
Prewitt could not say how long it will take for all customers to regain access to their data, the loss of which has been a major concern for affected users.
“We’ll start with a handful of customers that we’ll test our process with and then I expect to scale very, very quickly in the next week,” he said. “I don’t expect it to be drawn out for a long period of time.”
He declined to disclose how many customers were affected by the attack.
The company shut down its hosted Exchange service after the attack, and Prewitt said it has since been working “to see what data was encrypted and whether it wasn’t encrypted.”
“We went through that process. We now have a very good idea of how much data we have,” he said. “We are working on the process to withdraw it from those servers [and] to put it in a safe secure environment for customers so that they will be able to access it.”
“We’re talking about huge amounts of data and a lot of customers here,” he added.
Investigations
Rackspace earlier said it notified the FBI of the data breach and continues to cooperate with the agency’s investigation into the attack. The FBI declined to confirm or deny that it was investigating.
Prewitt also said Friday that Rackspace is continuing to work with Austin-based cybersecurity firm CrowdStrike to conduct an internal forensic investigation into the attack. Earlier, Rackspace said CrowdStrike determined the breach was isolated to the Exchange server and no other products or customers were affected.
Rackspace is “still going through this investigation very carefully,” Prewitt said.
Chief security officer Karen O’Reilly-Smith said earlier this week that the company expected to complete its investigation this week. But Prewitt said Friday the company has not completed the “internal investigation to a state where we can share the results of that yet.”
When the investigation is complete, he said, Rackspace does intend to share the cause details, attack vectors, all of that.
“Our goal here is to help make the technology community stronger by sharing what we’ve learned through this,” Prewitt said. “A ransomware attack can happen to anyone, any company of any size. The more we can share about our experience and how we dealt with it, how we identified it and how we dealt with it, the better off the technology community will be.”
Little known so far
So far, however, the company has said little about the nature of the attack or how it is being handled.
On Monday, an outside adviser to Rackspace said the company identified the culprit only as “a criminal, financially motivated group — a known ransom group.” The company did not specifically identify the attackers, disclose what they are looking for or say whether the company is paying a ransom to gain access to data. Also unclear is how the attackers gained access to Rackspace’s servers.
Ransomware criminals encrypt a victim’s data and demand a ransom to return access. There is no promise that a company or group that pays a ransom will have access to its data.
Prewitt said earlier this week that the company had not determined whether it would exit the hosted Exchange business, which generated about $30 million in annual revenue, or 1 percent of total annual revenue. He said the company had been considering exiting the business for the past year.
He said Friday that three-quarters of affected customers had the ability to “send and receive mail” through Microsoft 365, but without access to archives and data stored on Rackspace’s Exchange servers.
Amid the ongoing investigations, many customers are taking to social media platforms to blast Rackspace’s status updates posted on its corporate website and Twitter account. Several have also filed proposed class action lawsuits over the loss of data, the company’s response to it and other issues.
“I would be sympathetic to the ransomware situation if they handled support and messaging properly and if I believed they were following their own security strategies,” Málaga Smith, president of Communications Team, a client brand strategy and account management firm in California, said early Friday. said.
On Friday afternoon, Prewitt said that Rackspace was still “absolutely swarming” its phone lines with employees ready to help affected customers.
“Hundreds of Rackers have volunteered their time to help customers through this process,” he said. “Our telephone queues and waiting time are very short. Typically there is no wait and we are eager to help customers get back on track.”
