Rackspace Ransomware Attack: Lessons Learned

Rackspace has been conducting an ongoing incident response and investigation into a ransomware attack that took email services offline for large portions of their customer base.

Rackspace shared insights from this investigation, revealing details on the cause and impact of the ransomware attack. According to reports, the attack exploited a known vulnerability within Exchange Server to gain unauthorized privileges. This vulnerability, CVE-2022-41080, enabled ProxyNotShell attacks, and a patch was available shortly before the attack.

Key Takeaways from the Rackspace Ransomware Attack

Here are some important insights from Rackspace’s experience with the ransomware attack:

• Vulnerability Exploitation: Attackers used a known Exchange Server vulnerability, CVE-2022-41080, which facilitated ProxyNotShell attacks.
• Decision to Delay Patching: Rackspace chose not to patch immediately, citing potential authentication issues that could impact a large number of end-users.
• Outcome: This decision, though cautious, left Exchange Online systems vulnerable to ransomware attacks.

Why Rackspace Delayed Patching

Despite awareness of the vulnerability and the available patch, Rackspace decided not to patch their Exchange online platform. Their reasoning, as stated, involved:

• Potential authentication failures in patched versions, which could disrupt many customers.
• Known risks associated with applying certain patches, as evidenced by a Windows Server patch that disrupted Kerberos authentication in Active Directory.

This cautious approach inadvertently left systems open to the ransomware attack that affected their services.

The Challenge of Patching During a Ransomware Threat

The decision not to patch the vulnerability highlights a common challenge: balancing service continuity against security risks. The patch itself posed a risk of causing service outages, while threat actors were already finding ways to bypass it. Rackspace faced a “Morton’s Fork” — a choice where both options led to undesirable outcomes:

• Patching Risk: Potential for an immediate service outage and customer impact.
• No Patch Risk: Vulnerability to ransomware attacks exploiting the unpatched vulnerability.

Ultimately, Rackspace chose to delay the patch, estimating the risk of a ransomware attack as lower than a known risk of outage.

Multiple Defensive Strategies Against Ransomware

When patching is challenging, organizations should employ a layered defense to mitigate ransomware risks. A “good, better, best” approach is recommended:

Best: Apply all feasible patches. When vulnerabilities are identified, prioritize immediate patching if it does not compromise critical services.

Better: Use additional defensive tools, such as:
1. Behavioral-based detection anti-malware: Especially useful for complex attacks targeting Exchange servers.
2. Workarounds: Limit Remote PowerShell access and adjust IIS functions to hinder ProxyNotShell ransomware attempts.

Good: Focus on detection and containment through:
1. SIEM correlation rules: Set up rules to detect unusual activity patterns.
2. Strict network segmentation: Reduces both the time to detect an attack and the potential spread across systems.

Testing Defensive Strategies with Breach & Attack Simulations

Testing defensive strategies with breach & attack simulations (BAS) is a crucial component of effective ransomware defense. Regular testing through BAS platforms provides valuable insights, allowing organizations to confirm that their remediation measures, such as patches and workarounds, effectively neutralize ransomware threats.

By simulating ransomware scenarios, BAS platforms help ensure that incident response protocols activate as intended, enabling swift and efficient responses to potential attacks. Additionally, these simulations verify that network segmentation and detection mechanisms are in place to contain the spread of ransomware, limiting its impact.

Integrating BAS into a cybersecurity strategy empowers organizations to continuously validate and enhance their ransomware defenses, fostering a proactive and resilient security posture.

Summing Up: A Proactive Approach to Ransomware Resilience

The Rackspace ransomware attack underscores the importance of a proactive, layered approach to security. Here’s a summary of best practices:

• Patch When Feasible: Apply all safe and timely patches.
• Implement Layered Defenses: Use additional tools and workarounds when patches aren’t immediately viable.
• Test Continuously: Regularly validate defenses with breach & attack simulations.

This combination of strategies strengthens an organization’s resilience against ransomware attacks, helping to contain damage and prevent threat escalation.