Fraud Management & Cybercrime , Incident & Breach Response , Ransomware
Ransomware Attack Cleanup Costs: $11M So Far for Rackspace
Fallout From Crypto-Locking Malware Attacks and Data Exfiltration Remains CostlyAfter the attack comes the bill: Ransomware and data exfiltration attacks continue to stick victims with serious cleanup, legal and other costs.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
Cloud computing giant Rackspace has so far spent $10.8 million responding to an attack against its hosted Exchange environment by the Play ransomware group that began late last November, the company said in an earnings presentation released earlier this month. The attack, which came to light on Dec. 1, 2022, affected 30,000 Rackspace customers, leaving them unable to access to email and associated data.
The San Antonio, Texas, company's multimillion-dollar expenditure includes "costs to investigate and remediate, legal and other professional services, and supplemental staff resources that were deployed to provide support to customers," it said in a separate filing with U.S. federal regulators. "We expect to continue to incur legal and other professional services costs in future periods and will expense those costs as incurred."
Costs could spiral further. "We are named in several lawsuits in connection with the December 2022 ransomware incident which caused service disruptions on our Hosted Exchange email business," Rackspace said. "The pending lawsuits seek, among other things, equitable and compensatory relief. We are vigorously defending these matters."
Rackspace said it maintains cybersecurity insurance and expects "a significant portion" of the costs stemming from the attack and cleanup to be reimbursed by insurance. The company has declined to comment on whether it paid a ransom to Play.
Rackspace's bill thus far is a fraction of the approximately $50 million that non-bank lender Latitude Financial has spent recovering from an attack that came to light in March. The Australian company expects at least some of those costs to be covered by its insurance policies.
When Latitude first revealed the hack attack in mid-March, it estimated attackers had stolen records pertaining to 328,000 customers. As is often the case in breach investigations, the probe found that the final tally was markedly different. By late March, the company had issued an update saying attackers stole data pertaining to about 14 million customers. The tally included approximately 7.9 million Australian and New Zealand driver's license numbers, plus an additional 6.1 million records - including names, addresses, phone numbers and birthdates - contained in a database with information dating back to at least 2005.
"We will reimburse our customers who choose to replace their stolen ID document," Latitude said in its updated breach notification.
To Latitude's credit, the company declined to pay the ransom being demanded by attackers in return for the criminals' promise to delete stolen data (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
One of the biggest attacks seen so far this year is the Russian-speaking Clop group's mass exploitation of a zero-day vulnerability in Progress Software's MOVEit file transfer software. The attack is too recent to know its full financial impact, but available data suggests the bill will be an expensive one. Ransomware incident response firm Coveware has estimated that Clop may have earned $75 million to $100 million via a few very large ransom payments from bigger victims in the early days of its campaign.
Starting in late May, in a highly automated attack, Clop stole data from more than 1,000 organizations, according to German consultancy KonBriefing.
New victims come to light daily, including organizations that were affected directly because they use MOVEit or indirectly because one or more of their suppliers use the software.