Rackspace Targeted in Latest CL0P Ransomware Attack

The CL0P ransomware gang has claimed responsibility for a cyberattack against Rackspace Technology, a U.S.-based cloud storage provider, and began leaking stolen files on its dark web site on March 11, 2025.

The group accused Rackspace of ignoring ransom negotiations, prompting the release of six data batches labeled “RACKSPACE.COM FULL FILES PUBLISHED VIA TOR”.

The breach follows CL0P’s exploitation of zero-day vulnerabilities in Cleo file transfer software, part of a broader campaign impacting over 170 organizations globally.

Technical Details of the Attack

CL0P, a Russian-linked ransomware group, reportedly exploited vulnerabilities in Cleo’s Harmony, VLTrader, and LexiCom platforms—software widely used for enterprise data integration.

While the exact attack vector remains unconfirmed, threat researchers at Google’s Mandiant traced initial compromises to October 2024, noting backdoors deployed on victim systems.

This aligns with CL0P’s history of targeting file management tools, including the 2023 MOVEit and Fortran GoAnywhere breaches, which affected 90 million individuals and netted the group up to $100 million.

Rackspace, which reported $2.8 billion in annual revenue and serves 600,000 clients, has not yet verified the leaked data’s authenticity.

Cybernews confirmed the files’ presence on CL0P’s .onion site but could not assess their scope or sensitivity.

The company’s global infrastructure—spanning data centers in the U.S., Europe, Asia, and Australia—heightens concerns about potential cross-border data exposure.

Context: Rackspace’s History of Cyberattacks

This incident follows a December 2022 ransomware attack by the Playgroup, which exploited CVE-2022-41080, a privilege escalation flaw in Microsoft Exchange.

Play bypassed ProxyNotShell mitigations using a novel exploit chain (dubbed OWASSRF) to deploy ransomware and exfiltrate PST files from 27 customers.

At the time, Rackspace delayed patching due to fears of operational disruptions, a decision criticized by cybersecurity experts.

The company later migrated its Hosted Exchange clients to Microsoft 365, citing enhanced.

CL0P’s Broader Campaign and Implications

CL0P’s latest campaign mirrors its Cleo-focused spree in late 2024, which impacted major entities like Western Alliance Bank, Hertz, and Chicago Public.

The group’s leak site now lists Rackspace alongside other high-profile victims, including Home Depot Mexico and SDI Technologies (parent company of Timex).

While CL0P has not disclosed the ransom amount or data types, its history suggests the exfiltration of sensitive financial, customer, or operational records.

Security analysts emphasize the urgency of patching third-party software vulnerabilities. The Cleo exploits leveraged CVE-2023-34362 and CVE-2023-35708, SQL injection, and remote code execution flaws in Progress Software’s MFT solutions.

Rackspace’s delayed response to the 2022 Play attack underscores the risks of deferred updates, particularly for shared cloud environments.

Ongoing Risks and Mitigation Strategies

• Third-Party Vulnerabilities: The attack highlights risks in supply chain ecosystems, where a single vendor’s flaw (e.g., Cleo) can cascade across clients.
• Ransomware Tactics: CL0P continues to refine double-extortion tactics, encrypting data while threatening leaks to pressure payments.
• Phishing Risks: Rackspace warned customers to monitor for follow-up scams impersonating support teams, a common post-breach tactic.

As of March 11, Rackspace has not disclosed whether it engaged with CL0P or plans to pay a ransom.

The company faces renewed scrutiny over its cybersecurity practices, compounded by pending class-action lawsuits from the 2022 breach.

Cybersecurity firms urge enterprises using Cleo or MOVEit platforms to audit configurations, isolate critical systems, and enforce zero-trust access controls.

The CL0P ransomware group’s latest strike against Rackspace underscores the persistent threat of supply chain attacks and the catastrophic consequences of delayed vulnerability management.

With Rackspace’s data now exposed on the dark web, affected organizations must prioritize credential monitoring, data integrity checks, and incident response rehearsals.

Also Read: