IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Play ransomware gang behind recent cyber attack on Rackspace

Rackspace said that “more than half” of affected customers have regained access to data in the wake of the attack

Rackspace has revealed the Play ransomware gang was behind a December attack which took down the company’s hosted Microsoft Exchange email service.  

In a status update published on Thursday evening, the cloud computing firm confirmed the ransomware group gained access to Personal Storage Tables (PST) belonging to 27 hosted exchange customers.  

Rackspace insisted that, at present, there is no evidence to suggest that threat actors “viewed, obtained, misused, or disseminated” emails or data belonging to the hosted exchange customers.  

“No other Rackspace products, platforms, solutions, or businesses were affected or experienced downtime due to this incident,” the firm said. 

At the time of Rackspace’s update, the firm revealed that “more than half” of impacted customers have had “some or all of their data available to them to download”.  

“This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data,” the company said.  

“We will continue working to recover all data possible as planned, however, in parallel, we are developing an on-demand solution for those customers who do still wish to download their data. We expect that the on-demand solution will be available within two weeks.” 

Rackspace added that the hosted Exchange service will not return following the incident.  

Rackspace cyber attack 

Rackspace first informed customers that it had suffered a breach on 2 December. The attack caused an outage on the company's hosted Microsoft Exchange email service, disrupting affected customers who were left unable to access email services and recover contacts or previous correspondence. 

A follow-up disclosure by the firm confirmed that a ransomware attack was to blame for the incident, and subsequently began migrating customers to cloud-based Microsoft 365 services.  

Initial speculation suggested that the incident was the result of the ProxyNotShell exploit, Rackspace said. However, the company said it can now “definitively state” that this is not accurate.  

An investigation by CrowdStrike found that Play harnessed a zero-day exploit associated with CVE-2022-41080, known as ‘OWASSRF’, as part of the attack. 

Related Resource

Automate security intelligence with IBM Security QRadar SIEM

Simplify and improve threat detection, investigation and response with reducing overheads

Whitepaper cover with title, logo on black header banner, and bar graphsFree Download

The OWASSRF zero-day exploits two vulnerabilities, tracked as CVE-2022-41080 and CVE-2022-41082, and enables threat actors to achieve remote code execution (RCE) through Outlook Web Access.  

According to CrowdStrike, this method “bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell”. 

“Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable,” Rackspace added in its update. 

CrowdStrike said it discovered this new exploit on the back of an extensive investigation into recent Play ransomware attacks that targeted Microsoft Exchange.  

What is Play ransomware? 

The Play ransomware group is a relative newcomer to the global cyber crime space. Also known as PlayCrypt, the group is believed to have launched in June 2022 and has already caused significant disruption to a host of major organisations.  

The group previously claimed responsibility for an attack on German hotel chain, H-Hotels, and earlier this week the group said it was responsible for an attack on the State of New York (SUNY) Polytechnic.

The attack is thought to be the first major ransomware attack on the education sector so far in 2023, and led to the exposure of sensitive data such as passport information, confidential contracts, and student IDs.

Screenshot of Play's ransomware blog displaying the group's most recent victims

IT Pro

According to research from Avertium, Play has primarily targeted organisations across Latin America, but has also been observed deploying attacks on India, Hungary, Spain, and the Netherlands.  

“Play is known for their big game hunting tactics, such as using Cobalt Strike for post-compromise and SystemBC RAT for persistence,” Avertium said in a blog post. “They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange.  

“The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.” 

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022

Most Popular

Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023