{
	"id": "891663ae-aac3-4372-a220-295f11d72dfd",
	"created_at": "2026-04-06T00:19:31.138296Z",
	"updated_at": "2026-04-10T03:30:33.34547Z",
	"deleted_at": null,
	"sha1_hash": "0e75948331f80777e3ca8eeee002601f2e3bab5c",
	"title": "Rackspace confirms Play ransomware was behind recent cyberattack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2095039,
	"plain_text": "Rackspace confirms Play ransomware was behind recent cyberattack\r\nBy Sergiu Gatlan\r\nPublished: 2023-01-04 · Archived: 2026-04-05 16:38:31 UTC\r\nTexas-based cloud computing provider Rackspace has confirmed that the Play ransomware operation was behind a recent\r\ncyberattack that took down the company's hosted Microsoft Exchange environments.\r\nThis follows a report last month by cybersecurity firm Crowdstrike, which detailed a new exploit used by the ransomware\r\ngroup to compromise Microsoft Exchange servers and gain access to a victim's networks.\r\nThe exploit (dubbed OWASSRF) allowed the attackers to bypass ProxyNotShell URL rewrite mitigations provided by\r\nMicrosoft by likely targeting a critical flaw (CVE-2022-41080) that allows remote privilege escalation on Exchange servers.\r\nhttps://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThey also managed to gain remote code execution on vulnerable servers by abusing CVE-2022-41082, the same bug\r\nexploited in ProxyNotShell attacks.\r\nWhile Crowdstrike didn't name the victim in their report, Rackspace officials have revealed in recent local media interviews\r\nand emails to BleepingComputer that the OWASSRF exploit was found on its network and Play ransomware was behind last\r\nmonth's ransomware attack.\r\n\"We are now highly confident that the root cause in this case pertains to a zero-day exploit associated with CVE-2022-\r\n41080. See a recent blog by CrowdStrike for more information. Microsoft disclosed CVE-2022-41080 as a privilege\r\nescalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable,\"\r\nKaren O'Reilly-Smith, Rackspace's Chief Security Officer, told BleepingComputer.\r\n\"We thank CrowdStrike for their thorough work in discovering this zero-day exploit during the course of this investigation\r\nand will be sharing more detailed information with our customers and peers in the security community so that, collectively,\r\nwe can all better defend against these types of exploits in the future.\"\r\nSince the attack was discovered, Rackspace has provided customers free licenses to migrate their email from its Hosted\r\nExchange platform to Microsoft 365.\r\nThe company is also working on providing affected users' with download links to their mailboxes (containing Hosted\r\nExchange email data before December 2) through its customer portal via an automated queue.\r\n\"We are proactively notifying customers for whom we have recovered greater than 50% of their mailboxes,\" the company\r\nsaid on the incident report page.\r\n\"We are still working meticulously to upload the remaining data into the portal. Once available for download, the PST files\r\nwill be available through the customer portal for 30 days.\"\r\nDefend Exchange servers against Play ransomware attacks\r\nCrowdStrike said the OWASSRF exploit was used to drop remote access tools such as Plink and AnyDesk on Rackspace-compromised servers.\r\nBleepingComputer also found that Play ransomware tooling found online by researchers also contains the ConnectWise\r\nremote administration software, which will likely be deployed in attacks.\r\nAll organizations with on-premises Microsoft Exchange servers on their network are advised to apply the latest Exchange\r\nsecurity updates immediately (with November 2022 being the minimum patch level) or disable Outlook Web Access (OWA)\r\nuntil they can apply patches for CVE-2022-41080.\r\nThe Play ransomware operation was first spotted in June 2022, after the first victims began reaching out for help in the\r\nBleepingComputer forums.\r\nSince its launch, dozens of victims have uploaded ransom notes and samples to the ID Ransomware platform to identify\r\nwhat ransomware was used to encrypt their files.\r\nPlay ransomware activity (ID Ransomware)\r\nhttps://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/\r\nPage 3 of 4\n\nUnlike most ransomware operations, Play gang affiliates use email as a negotiation channel and will not provide victims\r\nwith a link to a Tor negotiations page within ransom notes dropped on encrypted systems.\r\nHowever, they are stealing data from their victims' networks before deploying ransomware payloads and will threaten to\r\nleak it online if the ransom is not paid.\r\nRecent Play ransomware victims include the German H-Hotels hotel chain, Argentina's Judiciary of Córdoba, and the\r\nBelgium city of Antwerp.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/\r\nhttps://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/"
	],
	"report_names": [
		"rackspace-confirms-play-ransomware-was-behind-recent-cyberattack"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434771,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0e75948331f80777e3ca8eeee002601f2e3bab5c.pdf",
		"text": "https://archive.orkl.eu/0e75948331f80777e3ca8eeee002601f2e3bab5c.txt",
		"img": "https://archive.orkl.eu/0e75948331f80777e3ca8eeee002601f2e3bab5c.jpg"
	}
}