Rackspace

Rackspace, a cloud computing company, was one of the high-profile victims of the Play ransomware gang. The attack involved the theft of sensitive documents from compromised systems, which were then used to pressure the company into paying ransom demands under the threat of publishing the stolen data on the gang's dark web leak site. The ransomware gang also used a custom VSS Copying Tool to steal files from shadow volume copies, making the attack more challenging to mitigate.

Source: https://www.bleepingcomputer.com/news/security/fbi-play-ransomware-breached-900-victims-including-critical-orgs/

TPRM report: https://scoringcyber.rankiteo.com/company/rackspace-technology

"id": "rac421060625",
"linkid": "rackspace-technology",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Technology',
                        'name': 'Rackspace',
                        'type': 'Cloud Computing Company'},
                       {'industry': 'Public Administration',
                        'location': 'California',
                        'name': 'City of Oakland',
                        'type': 'Government'},
                       {'industry': 'Public Administration',
                        'name': 'Dallas County',
                        'type': 'Government'},
                       {'industry': 'Automotive',
                        'name': 'Arnold Clark',
                        'type': 'Car Retailer'},
                       {'industry': 'Public Administration',
                        'location': 'Belgium',
                        'name': 'Belgian City of Antwerp',
                        'type': 'Government'},
                       {'industry': 'Retail',
                        'name': 'Krispy Kreme',
                        'type': 'Food and Beverage'},
                       {'industry': 'Technology',
                        'name': 'Microchip Technology',
                        'type': 'Semiconductor Supplier'}],
 'attack_vector': 'Remote Code Execution, Malware, Phone Calls',
 'date_detected': 'June 2022',
 'date_publicly_disclosed': 'May 2025',
 'description': 'The Play ransomware gang has breached roughly 900 '
                'organizations as of May 2025, three times the number of '
                'victims reported in October 2023. The gang uses recompiled '
                'malware in every attack, making it more difficult for '
                'security solutions to detect and block it. Some victims have '
                'been contacted via phone calls and threatened to pay the '
                'ransom to prevent their stolen data from being leaked online. '
                'Initial access brokers with ties to Play ransomware operators '
                'have exploited several vulnerabilities in the remote '
                'monitoring and management tool in remote code execution '
                'attacks targeting U.S. organizations.',
 'initial_access_broker': {'backdoors_established': 'Sliver beacons',
                           'entry_point': 'Remote Monitoring and Management '
                                          'Tool'},
 'motivation': 'Financial Gain',
 'ransomware': {'ransomware_strain': 'Play'},
 'recommendations': ['Keep systems, software, and firmware up to date',
                     'Implement multifactor authentication (MFA) across all '
                     'services',
                     'Maintain offline data backups',
                     'Develop and test a recovery routine'],
 'references': [{'source': 'FBI'},
                {'source': 'CISA'},
                {'source': 'Australian Cyber Security Centre'}],
 'threat_actor': 'Play Ransomware Gang',
 'title': 'Play Ransomware Gang Breaches 900 Organizations',
 'type': 'Ransomware',
 'vulnerability_exploited': ['CVE-2024-57726',
                             'CVE-2024-57727',
                             'CVE-2024-57728']}