.png)
Rackspace Ransomware 2022: Hosted Exchange Shutdown, 30,000 Customers Down
Breach Summary
The Rackspace Hosted Exchange ransomware attack of December 2022 took down the hosted email service used by thousands of small and mid-market businesses over the holiday period, demonstrating the cascading impact when a managed service provider's core infrastructure is hit with ransomware and the unique legal and contractual challenges when customers' own data is compromised through their service provider.
What Happened
Rackspace took the Hosted Exchange service offline on December 2, 2022 after detecting the ransomware. Thousands of small businesses lost access to their email during the pre-Christmas business period. Rackspace offered Microsoft 365 licenses as a temporary migration path. The full scope of data exfiltration was not disclosed until February 2023. Rackspace subsequently announced the permanent discontinuation of its Hosted Exchange product. Class action lawsuits were filed by customers who suffered business losses from the email outage.
Attack Vector Detail
The PLAY ransomware group exploited CVE-2022-41080, a Microsoft Exchange Server ProxyNotShell vulnerability, to compromise Rackspace's Hosted Exchange environment. The vulnerability allowed privilege escalation and remote code execution on Exchange servers. PLAY used this access to encrypt Rackspace's Exchange infrastructure, taking the service offline and preventing approximately 30,000 customers from accessing their hosted email. The attackers also exfiltrated customer data from some affected accounts.
Breach Pattern Timeline
Pre-December 2022
Play ransomware group (also known as PlayCrypt, active since June 2022) develops exploit chain combining ProxyNotShell (CVE-2022-41080 + CVE-2022-41082) for Microsoft Exchange Server — bypassing initial ProxyNotShell mitigation Microsoft had recommended.
December 2, 2022
Rackspace Technology — major cloud and hosted services provider — detects ransomware on its Hosted Exchange environment. Takes hosted Exchange offline.
December 6, 2022
Rackspace publicly confirms ransomware impact on Hosted Exchange. Tens of thousands of small business customers cannot access email. Recommends migration to Microsoft 365.
December 22, 2022
Rackspace confirms Play ransomware as the threat actor. Discloses CVE-2022-41080 / CVE-2022-41082 (ProxyNotShell variant 'OWASSRF') as the attack vector — the exploit Microsoft's initial mitigation guidance did not fully address.
January 2023
Rackspace decommissions Hosted Exchange permanently after assessing recovery economics. Migrates remaining customers to Microsoft 365.
February-March 2023
Rackspace 8-K filing discloses ~$11.7M direct breach costs. Multiple class actions filed. Customer email archive recovery proceeds in stages.
July 2023
Rackspace provides update: estimated 27 customers had data exfiltrated (out of thousands affected). PII and business data exposure confirmed for affected subset.
2023-2024
Rackspace Hosted Exchange decommission completes. Hosted Exchange business line permanently exits. Foundational precedent for hosting providers' ransomware exposure and the 'decommission rather than rebuild' decision when recovery economics fail.
Total impact: Hosted Exchange permanently shut down, tens of thousands of small business customers affected (subset with data exfiltration), $11.7M+ direct costs, foundational precedent for ProxyNotShell mitigation bypass and hosted-services decommission decision logic.
Executive Lessons
Rackspace established that cloud hosting providers — whose value proposition includes managed security — are themselves ransomware targets, and that their compromise can take down thousands of customers simultaneously. The 30,000 customers who lost Hosted Exchange access for weeks during the holiday season experienced a business continuity failure they had no control over and no advance warning of. Third-party concentration risk in cloud hosting requires explicit business continuity planning for provider outage scenarios.
Related Reading
Private Equity Implications
For PE portfolio companies using managed hosting or cloud services for critical infrastructure like email, the Rackspace breach illustrates that managed service providers are themselves attack targets with potentially inferior security controls. Critical business services hosted by third parties require evaluation of the provider's security program, patch management discipline, and contractual indemnification provisions before a service disruption event creates unmanageable business impact.