Compromiseseverity: High2022-12-02

Rackspace Hosted Exchange outage caused by Play ransomware

published by Cybersecurity Dive

Actor

Play?? · UnknownRansomware

Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Mic…

Summary

Rackspace's Hosted Exchange service went down on 2 December 2022, knocking email offline for approximately 30,000 SMB customers. A CrowdStrike-led investigation confirmed in early January 2023 that the Play ransomware group was responsible, using a previously unknown Exchange exploit chain dubbed 'OWASSRF' (CVE-2022-41080 + CVE-2022-41082). Rackspace later wound down the Hosted Exchange product.

Primary source

cybersecuritydive.com

Other Play events

2025-06-04CISA documents Play ESXi variant and per-victim recompilation
2023-12-18Joint CISA/FBI/ASD advisory AA23-352A on Play ransomware
2023-02-08City of Oakland ransomware attack claimed by Play
2023-01-23A10 Networks breached by Play ransomware affiliates
2022-12-23Arnold Clark customer data stolen in Play ransomware attack

Summary

Tags

Primary source

Other Play events