Fallout From Crypto-Locking Malware Attacks and Data Exfiltration Remains Costly
After the attack comes the bill: Ransomware and data-exfiltration attacks continue to stick victims with serious cleanup, legal and other costs.
Cloud computing giant Rackspace has so far spent $10.8 million responding to an attack against its hosted Exchange environment by the Play ransomware group that began late last November, the company said in an earnings presentation released earlier this month. The attack, which came to light on Dec. 1, 2022, affected 30,000 Rackspace customers, leaving them unable to access to email and associated data.
The San Antonio, Texas, company’s multi-million expenditure includes “costs to investigate and remediate, legal and other professional services, and supplemental staff resources that were deployed to provide support to customers,” it said in a separate filing with U.S. federal regulators. “We expect to continue to incur legal and other professional services costs in future periods and will expense those costs as incurred.”
Costs could spiral further. “We are named in several lawsuits in connection with the December 2022 ransomware incident which caused service disruptions on our Hosted Exchange email business,” Rackspace said. “The pending lawsuits seek, among other things, equitable and compensatory relief. We are vigorously defending these matters.”
Rackspace said it maintains cybersecurity insurance, and expects “a significant portion” of the costs stemming from the attack and cleanup to be reimbursed by insurance. The company has declined to comment on whether it paid a ransom to Play.
Rackspace’s bill thus far is a fraction of the approximately $50 million that non-bank lender Latitude Financial has spent recovering from an attack that came to light in March. The Australian company expects at least some of those costs to be covered by its insurance policies.
When Latitude first revealed the hack attack in mid-March, it estimated attackers had stolen records pertaining to 328,000 customers. As is often the case in breach investigations, the probe found that the final tally was markedly different. By late March, the company issued an update saying attackers stole data pertaining to about 14 million customers. The tally included approximately 7.9 million Australian and New Zealand driver’s license numbers, plus an additional 6.1 million records – including names, addresses, phone numbers and birthdates – contained in a database with information dating back to at least 2005.
“We will reimburse our customers who choose to replace their stolen ID document,” Latitude said in its updated breach notification.
To Latitude’s credit, the company declined to pay the ransom being demanded by attackers in return for the criminals’ promise to delete stolen data (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
One of the biggest attacks seen so far this year has been the Russian-speaking Clop group’s mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit file-transfer software. The attack is too recent to know its full financial impact, but available data suggests the bill will be an expensive one. Ransomware incident response firm Coveware has estimated that Clop may have earned $75 million to $100 million via a few very large ransom payments from bigger victims in the early days of its campaign.
Starting in late May, in a highly automated attack, Clop stole data from more than 1,000 organizations, according to German consultancy KonBriefing.
New victims come to light daily, including organizations that were impacted directly, because they use MOVEit, or indirectly because one or more of their suppliers use the software.