Dec 13, 2022 - Technology

The double-edged sword of post-ransomware communication

Illustration of a hand in a suit pulling a shade down on a computer screen

Illustration: Sarah Grillo/Axios

More than a week after a ransomware attack sparked the shutdown of servers at cloud and email-hosting provider Rackspace Technology, questions are still rising and its customer base is growing frustrated.

The big picture: Experts tell Axios that corporate ransomware victims face a tough dilemma: Sharing too much info risks it being weaponized in lawsuits or ruining negotiations with attackers. Not sharing enough could lead to customer outrage or even a mass exodus.

Driving the news: Over the weekend, Rackspace released more details about how it's responding to a Dec. 2 attack that prompted the shutdown of its Hosted Exchange servers, leaving thousands of small to medium-sized businesses without access to their email inboxes.

  • It hired incident response firm CrowdStrike, got two-thirds of affected customers set up with alternative email services, and ensured that any emails archived before the attack were safe.
  • But some customers tell Axios they still haven't received any word about whether the company will be able to bring their servers back online or what data, if any, hackers have stolen.

Why it matters: How a company responds to an ongoing security event can have a serious impact on their short-term business and any litigation outcome or regulatory reviews that come from the incident.

  • "You'll be in a much better position when those lawsuits happen if you're demonstrating good faith, if you're demonstrating empathy, if you're demonstrating a quick response," says Melanie Ensign, founder and CEO of Discernible Inc. and press lead at DEFCON.

Flashback: Since Rackspace's incident, customers have been swarming social media to complain about what they describe as a lack of communication and transparency in the early days of the company's response.

  • Some customers tell Axios they've already left the service for competitors like GoDaddy and Wix.

Usually when a customer base is upset, that means something was missing in the communications strategy, Ensign said.

  • "Whether it was intentional or not, they did not communicate the principal attribute of, 'We've got your back. You can trust us. We're going to make this right,'" Ensign says of Rackspace's early communications.

The intrigue: Rackspace chief product officer Josh Prewitt told Axios on Monday that part of the reason the company's communications haven't been able to answer all customer questions is that his team wants to make sure all information is accurate.

  • "Ultimately, we don't want to walk back anything that we said like we've seen so many companies have to do," Prewitt told Axios. In the last year, companies like Okta have had to revise details about how widespread a breach was.
  • "When you're in the fog of war, there are some things that you think that you know, and then it turns out you didn't know them."

Details: Rackspace officials did answer a few lingering customer questions:

  • The company knows which hackers are behind the attack, but it declined to say who to protect an ongoing FBI investigation.
  • It’s going to take longer than was internally anticipated to get customers’ original servers back online. The company has relied on transitioning customers to alternative services like Microsoft 365 or recovering already archived emails.

Between the lines: The ransomware attack at Rackspace serves as a good reminder that companies need to always be revisiting incident response plans before a cyberattack happens, experts tell Axios.

  • "The best way to deal with these things is to have already had these discussions and conversations," says Connie Stack, CEO at data protection company Next DLP.

What's next: Rackspace is working on releasing so-called "indicators of compromise," along with a blog detailing how the breach happened.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper