On December 2, 2022, a ransomware attack on Rackspace disrupted email services for thousands of businesses. The attack encrypted files throughout Rackspace’s Hosted Exchange environment, one of the largest in the world. The outage impacts mostly small and midsize businesses (SMBs). While Hosted Exchange is only 1% of Rackspace revenue, the incident was large enough to warrant a filing with the Securities and Exchange Commission. We can all learn lessons from the Rackspace attack with respect to cybersecurity and response.
Lessons from the Rackspace Attack
1 Incident Response Must Be Quick
In their SEC filing, Rackspace noted that their “… information security team had strong incident response protocols in place that led to the quick containment of the ransomware attack.” They were able to limit the damage to the Hosted Exchange service, protecting other aspects of the company’s operations and other services.
For SMBs like ours, speed is also necessary. Quickly identifying an attack and isolating effected devices is critical. An infected laptop can spread the infection to servers and through files sync’d into cloud storage (ie, OneDrive, Google Drive, Dropbox). From there, every connected device is vulnerable.
2 Recovery is Not a Sure Thing
Rackspace is NOT recovering customers’ Hosted Exchange service. The company is moving these customers to Microsoft 365.
Paying the ransom is not always possible. Paying a ransom does not guarantee that your get your data back.
3 Recovery is Difficult
As of December 12, 2022 — a full 10 days after the attack, Rackspace disclosed that about two thirds of its customers have been transitioned to Microsoft 365. Nearly one third of customers remain without email service. Rackspace is effectively abandoning its Hosted Exchange service.
The logistics of identifying recoverable data and understanding interdependencies is complex. Managing data restoration across multiple devices, systems, and data sets is challenging. Some data will be lost. Understanding which data, and how much data, has been lost is challenging.
4 Recovery is Big and Slow
Rackspace has hired staff and contracted with many Microsoft Fast Track service providers. Even so, call wait times are still averaging about 30 minutes. Rackspace is setting expectations, repeatedly telling customers that data recover will “necessarily take significant time”.
Starting with a clean system gets your systems up and running. How effectively can your run your business without your data? Data recovery takes time, even from backups. While emails may be relatively easy to live without, what is the impact if your accounting system is unavailable for days or weeks?
5 Recovery needs Expertise
While Rackspace is a leading technology firm, they have hired outside firms to investigate the attack and remediate the incident.
Most IT firms servicing SMBs do not have the expertise or staff to respond to a cyber attack. Expertise and resources will be needed for investigations and forensics, data recovery, systems restoration, communications, regulatory reporting and compliance, and customer service.
6 Recovery is Expensive
Rackspace is actively promoting that it maintains sufficient cybersecurity insurance to cover the costs of the incident. Their SEC filing, however, does not indicate if or how they plan to compensate customer for their losses.
You will spend money … lots of money … beyond the cost of getting your data back, your systems restores, and your business back up and running. Regulatory filings, communication, legal services, and litigation can be a crushing burden that threatens. More than half of SMBs fail within six months of a significant cyber attack.
Steps You Can Take
Looking at the lessons from the Rackspace Attack informs how we should think about protecting our businesses and ensuring we can return to normal operations quickly and efficiently. Here are resources for you to learn more.
Earlier this year, we blogged about how Streamlining Security for SMBs can protect you from the most common and the most expensive types of cyber attacks without breaking your budget. We held a webinar on the same subject.
Our Security CPR model outlines the three critical aspects of cyber security communication/education, protection/prevention, and recovery/response. Our eBook, 15 Best Practices for Cyber Protection, dives into the model.
To discuss your security footprint, risks, and options, contact us by email, via our website, or by scheduling time directly with one of our Cloud Advisors.