Ransomware Takes Out a Rackspace Line of Business - For Good
1–9–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and portfolio company management teams.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday January 9th and this week’s One Big Thing is something we’ve covered before: The Rackspace Ransomware Incident - but with new details and some interesting evolution in the state of play.
Let’s dive in.
Rackspace Closes The Incident - And The Line of Business
In their final update on the ransomware incident that began now 5 weeks ago, Rackspace disclosed quite a few new pieces of information that I think are worth discussing here.
ZeroDays. RackSpace insists that this was caused by a previously unknown vulnerability - or “zero day” - that Microsoft failed to disclose. While it might be convenient to try to put some of the blame here on Microsoft, I don’t think we should let them off the hook. Technically, the vulnerability that was exploited was already known - it just wasn’t known that it could be exploited remotely. These are not the same things, and the push for blame-shifting optics here by Rackspace isn’t a great look.
Attackers accessed the emails of 27 customers. We don’t know which 27 customers (though it would be very interesting to see what characteristics those customers shared), but it’s worth noting because it indicates that this maybe wasn’t just a straight ransomware play - otherwise why take the time to dig into 27 sets of files? Was there a larger motivation? 27 out of 30,000 is a diminishingly small percentage - so was the ransomware just a cover for an espionage operation? We may never know.
Rackspace is closing the incident. They noted in their last update that there wouldn’t be any further news. They also noted that only 5% of the customers “have actually downloaded the mailboxes we have made available.” They note “This indicates to us that many of our customers have data backed up locally, archived, or otherwise do not need the historical data.” I suspect that’s another optimistic framing. It’s likely that many of these customers lack the technical capability to do this sort of a restoration, and are struggling themselves to stay in business having lost their main lines of communication.
Rackspace is actually closing this line of business. They noted initially that it was a relatively small part of their revenue, but it’s not just lost revenue - when you factor in the costs of this response, plus the loss of trust and goodwill, the actual cost of the event is massive. And - even though their claim is designed to minimize the perception of impact, they’ve noted before that this service had 30,000 customers - and probably many of those customers purchased more than one service from Rackspace. The fact that a business with 30,000 customers - and in this case, with a large, publicly traded, cloud company as the parent - simply deciding to close their doors because they got hit with a single ransomware attack should make us all pause and reflect on our positions of readiness (or lack thereof).
Fundraising
A relatively modest $4.8B in newly committed capital announced last week, but I think it’s worth noting that we’re seeing $5B of investable capital as a small number. That’s not a small number, and given the lower valuations of late, we’re going to see the ability to do more deals within a fund, so this $4.8B will likely go further when it’s invested than it would have in 2021 or 2022.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you every Monday for Cyber Risk at Deal Speed.
Links
https://status.apps.rackspace.com/index/viewincidents?group=2
https://techcrunch.com/2023/01/06/rackspace-ransomware-data-exchange/
https://cyberplace.social/@GossiTheDog/109631636496958209
ARCHIVE: cyberriskatdealspeed.com