Hosted Exchange customers of Rackspace have been subjected to a ransomware attack, according to the company's confirmation.

In a series of events that disrupted critical business emails for many customers, Rackspace experienced a ransomware attack in December. The threat actor behind the attack was confirmed to be the BlackCat (ALPHV) ransomware group, as revealed earlier this week.

Despite the disruption, Rackspace has notified the organizations that were affected by the attack, and more than half of its Hosted Exchange customers have received some or all of their historical email from before the attack. However, only 5% of the customers have actually downloaded the mailboxes that were sent.

The attack on Rackspace is presumably attributed to the BlackCat ransomware group, which quickly expressed interest in resolving the issue by promptly engaging in negotiations. The investigation by CrowdStrike, the FBI, and other experts indicated that the attack was not related to widespread reports linking it to ProxyNotShell. Instead, the attackers used an exploit associated with CVE-2022-41080 and Outlook Web Access as an entry point.

CrowdStrike researchers found the attackers used an attack method dubbed OWASSRF, which went around prior mitigations developed by Microsoft to protect against ProxyNotShell. Rackspace, however, has not commented on whether any specific ransom was paid or whether it obtained a decryptor.

Executives at Clumio, a data management company, said last month the Rackspace attack helped underscore the need to change the way organizations store and protect data. Woon Ho Jung, co-founder and CTO at Clumio, stated that data protection and recovery need to keep up with the gigantic scale and speed of ingest, retrieval, and backing up data continuously.

In response to the attack, Rackspace does not plan to rebuild the Hosted Exchange environment and has been moving customers to Microsoft 365. The company is continuing efforts to recover historical data and is developing an on-demand solution for customers who still want to download their data. Rackspace has concluded its post-incident investigation regarding the December ransomware attack, and there is no evidence the attackers obtained, viewed, disseminated, or misused any emails or data of the affected 27 customers.

The attack targeted the Personal Storage Table of 27 out of 30,000 Hosted Exchange customers, primarily small and medium-sized businesses, along with individual customers. The disruption led to consolidated class action litigation being filed in U.S. District Court in Texas. As the dust settles, Rackspace continues to work towards ensuring the security and continuity of its services.