The Play Ransomware Gang's Attack on Rackspace

The Play ransomware gang has attacked Rackspace. Rackspace is a cloud computing provider headquartered in San Antonio, Texas. It employs over 6000 people and reported $3.01 billion in revenue in 2021. Rackspace confirmed the attack on December 6th, 2022, and said in a later statement: "As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident. We have since determined this suspicious activity was the result of a ransomware incident." On January 6th, 2023, the organization confirmed that hackers had accessed customer data, attributing the attack to the Play ransomware gang. The statement read: "We have already communicated our findings to these customers proactively, and importantly, according to CrowdStrike, there is no evidence that the threat actor actually viewed, obtained, misused or disseminated any of the 27 Hosted Exchange customers' emails or data in the PSTs in any way." It's not clear whether Rackspace paid a ransom.

About Play Ransomware

Play ransomware (aka PlayCrypt) is a newer ransomware group that emerged in the summer of 2022 with high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels. Play has similarities to Hive ransomware and is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT for persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques. Play is an evolving RaaS platform known to exploit a known Exchange vulnerability (CVE-2022-41080 - patched by Microsoft in November of 2022) that allows them to leverage a second vulnerability with a ProxyNotShell exploit (CVE-2022-41082) even if a patch had been applied, which then allows the attackers to execute code on the systems remotely. Play leverages PowerTool to disable antivirus tools and security monitoring solutions.