13 November 2023  —  Acronis

Defending clients against ransomware: Expert tips for MSPs

Acronis Cyber Protect Cloud
for Service Providers

Ransomware attacks have become incredibly sneaky and advanced, posing a threat to anyone and everyone. The fact that even large companies and government databases fall victim to ransomware attacks and ransomware infection, proves that no one is immune. Cybercriminals are very clever and tricky nowadays; they explore the vulnerabilities of their victims and strike them through their weak spots. They choose targets that are more likely to pay the ransom after being infected and after they have locked their data. Smaller organizations might not have robust IT departments like businesses do and instead rely on managed service providers (MSPs) to handle their cybersecurity needs.

If you are an MSP, it's crucial not to disappoint your clients when it comes to dealing with attacks. Being locked out of important files and systems can be a devastating experience for them, leading to downtime and other serious problems. When your clients face such such attacks, they will depend on your expertise and trust you with solving their problems.

However, MSPs can be organizations’ best allies in the battle against ransomware attacks. Let's look at the following strategies that will help you protect your clients, and not allow them to become ransomware victims.

Human error factor:

One of the main reasons businesses are hit with active ransomware infections is through human error. Sometimes we are not cautious enough about the cyberattacks that are out there, and through occasional mistakes, human error becomes a major factor in a successful ransomware attack.

According to recent research, two-thirds of the data breaches on infected devices were the result of “inadvertent insiders.” Often, these insiders don’t belong to the MSP but rather are client employees who unknowingly open malicious emails, download attachments with ransomware infections, or click on links that they shouldn't. This situation can be incredibly frustrating for MSPs because one careless user can inadvertently introduce ransomware and cause chaos for the team.

While it's impossible to eradicate these mistakes, providing training on email and web security best practices to your customers' employees is an effective strategy for mitigating such risks and blocking ransomware attempts. This type of training helps users identify malicious actors and enables them to use mobile devices and systems securely and intelligently for work purposes. Furthermore, offering training demonstrates your dedication to your customers' IT wellbeing and shows empathy for them, which is really a successful strategy to win the respect of your current clients and bring in new ones.

Utilize smart software:

Choosing the right software to safeguard clients against ransomware is crucial. It's important that the solution effectively deals with the following tasks:

1. Prevents phishing emails from reaching inboxes.

2. Filters web usage to prevent ransomware variants from self-installing.

3. Neutralizes any existing ransomware activity hidden within a client's systems.

Indeed, meeting these requirements is quite challenging. There are software options that can handle all of these tasks while also providing additional protection against viruses, phishing attacks and other threats, on both local and mobile devices. The best solutions go the extra mile by offering multiple layers of security, ensuring that your clients receive maximum protection in today's dangerous web environment.

Data backups:

When businesses fall victim to cyberattacks, they often find themselves with few options. Unfortunately, one of these options is to pay ransom demands and hope their systems are restored. However, there's no guarantee that after paying a demand in Bitcoin or any other currency requested by the cybercriminals, the files will be decrypted successfully and returned to their owners.

Furthermore, even if an "ethical" cybercriminal unlocks the victim's systems, there's a risk of data being damaged or lost — this is one of the worst scenarios a business can experience. The most effective defense against ransomware attackers is having a comprehensive backup strategy in place. This provides clients with a secure option to restore their files and applications to a healthy state from before the cyberattack occurred.

By backing up data either on-site, off-site, or in the cloud (or using a combination of these approaches), businesses can continue operating without giving in to malicious actors, ultimately saving money for their clients and, of course, saving their own reputation as a reliable service provider. Once data has been restored, security software can analyze how the ransomware infiltrated the system and take measures to neutralize any potential leftover threats.

Plan and stay one step ahead of cybercriminals.

Ransomware attacks are quite common and constantly evolving, making it possible for some instances to go undetected by diligent organizations and competent MSPs. With these threats, it is important to adhere to best practices and employ high-quality cybersecurity software to protect their clients' sensitive data.

This will enable you to effectively eliminate any ransomware that is discovered and determine how it managed to infect your clients' operating systems. It is crucial to communicate and discuss with your clients the steps you will take in the event of an attack, and prevent any possible harm to their operating systems. Establish a plan for restoring their systems, as well as neutralizing the ransomware attack and preventing data theft. By doing so, you can minimize disruptions if the worst-case scenario happens.

History of ransomware attacks

Ransomware has evolved in the past decade, from attackers demanding small ransom payments to a multibillion-dollar industry targeting well-known and rich companies where files stored on their systems are encrypted through asymmetric encryption — the main purpose of which is to extort millions of dollars in exchange for decryption keys.

Believe it or not, ransomware has been around for more than three decades. In 1989, after the AIDS conference organized by the World Health Organization, Joseph L. Popp, a biologist with a Harvard education, sent 20,000 floppy disks to the attendees. The packaging suggested that the disk contained a questionnaire aimed at determining the risk of contracting HIV.

There was no reason to suspect any nefarious intentions behind sending those floppy disks. All of them came from a trusted researcher, and the encryption of ransomware and ransomware as a service were completely unknown at the time. Once the attackers infiltrated the computers of their targets, the malicious software known as the AIDS Trojan employed a method of encrypting data and preventing users from accessing it.

After opening the information on the floppy discs, a notification appeared on the screens of affected individuals asking them to send $189 to a P.O. box located in Panama to enable them to regain access to their encrypted data. Fortunately, IT experts swiftly uncovered a decryption key for this virus, allowing victims to regain control of their files without having to pay the full ransom note. Popp likely didn't earn money from the scam considering the expenses associated with shipping 20,000 disks and the inconvenience of sending payment to Panama. However, his concept of ransomware work would eventually evolve into a thriving industry worth billions of dollars, earning him the title of "father of ransomware." This is how ransomware was born.

Ransomware took a break for 15 years following the Popp AIDS Trojan, which included a remote desktop protocol. However, its made a comeback in the 2000s, when the internet became widely used and email became a part of everyday life. During this early stage of the internet era, two ransomware variants of attacks stood out: "Archievus," which, unlike other ransomware incidents back then, focused on quantity rather than quality — targeting multiple victims and demanding low ransom payments in exchange for their encrypted data files.

In 2004, a malware-designed "GPCode" infiltrated systems through website links and phishing emails. It employed a custom encryption algorithm to lock files on Windows systems. The attackers asked for $20 to provide decryption keys for stolen data. For victims, cracking the custom encryption key was relatively straightforward.

In 2006, "Archievus" highlighted the significance of encryption techniques. It was a strain to utilize an RSA encryption code with a length of 1,024 bits. However, the ransomware authors made an oversight by using passwords to unlock systems. Victims soon discovered this mistake, leading to Archievus losing its popularity. Although GPCode and Archievus were considered groundbreaking by that time, they are now considered basic compared to modern standards.

During the 2010s, there was a rise in locker ransomware, stronger encryption algorithms, and the emergence of cryptoransomware. This period marked the evolution of ransomware, driven by versions like "WinLock," "Reveton" and "CryptoLocker."

Shortly after, in 2011, "WinLock" emerged as locker ransomware. This ransomware variant had the ability to completely lock users out of their devices. Users typically fell victim to this encrypting ransomware malware through a malicious website or malicious link.

“Reveton” ransomware, which emerged in 2012, was a type of scareware that displayed messages to its victims claiming that it was U.S. law enforcement and that the user had been detected viewing illegal pornography. In some cases, it activated the user’s camera to imply that the user had been recorded. It also demanded that the victim pay in order to avoid prosecution.

A variant of this ransomware also emerged for Macs, although it was not cryptographic. It was made up of 150 identical frames that each had to be closed, so the browser appeared to be locked.

In the second half of 2013, “CryptoLocker” emerged. "CryptoLocker" was a pioneer in several ways: it was the first ransomware to be spread by botnet — in this case, the “Gameover Zeus” botnet — though it also used more traditional tactics, such as phishing. It utilized advanced 2,048-bit RSA encryption technology and functioned both as mobile ransomware and as a locker. This malware was spread through email attachments.

Moreover, "CryptoLocker," managed to accumulate a staggering $27 million in ransom payments within just two months.

A few years later, in 2016, the world saw the emergence of the well-known “Petya” ransomware. Initially, this ransomware was less successful than "CryptoWall," but on June 17, 2017, a new variant emerged, dubbed “notPetya” by Kaspersky to differentiate it from the original version. It began in Ukraine and quickly spread worldwide via the “EternalBlue” Windows vulnerability discovered by the NSA. According to the White House, NotPetya was responsible for $10 billion in damages. The governments of the United States, the United Kingdom and Australia blamed Russia for the malware.

A month later, "Zcryptor" emerged as a combination of ransomware and worms, giving rise to a threat known as a cryptoworm or ransomworm. The unique danger it posed stemmed from its ability to discreetly replicate itself across a system and any connected devices.

The infamous WannaCry ransomware attack took place in 2017. It affected hundreds of thousands of machines across 150 countries. Its targets included organizations such as banks, healthcare institutions and law enforcement agencies. Often regarded as the worst attack in history, WannaCry, which is also categorized as a strain of ransomworm, spread through the use of the EternalBlue vulnerability.

This operating system vulnerability had been leaked from the National Security Agency. It continues to target computers that utilize versions of the Server Message Block protocol. However, Microsoft released a patch for this vulnerability in March 2017, two months prior to the WannaCry attack.

The rise in ransomware attacks on corporations, known as big game hunting, has gained huge popularity. While smaller attacks on victims still occur, attackers are now spending time researching and targeting larger, specific or well-known organizations to maximize their profits. Some recent notable victims of attacks include the cities of Atlanta and Baltimore, Colonial Pipeline and JBS USA.

Later, in 2020, a new trend called extortion ransomware emerged. In addition to encrypting files and stealing data to extort a ransom payment from a victim organization, attackers added other tactics. These could involve launching DDoS attacks against the victim organization or resorting to tactics like media shaming or intimidating their clients, employees, customers and suppliers. An example of triple extortion ransomware occurred in October 2020 when attackers behind a data breach at Finnish psychotherapy provider Vastaamo sent blackmail requests to the affected individuals.

The global COVID-19 pandemic has also accelerated the spread of double and triple extortion variants of ransomware as ransomware as a service (RaaS). As organizations rapidly pivoted to remote work, gaps were created in their cyberdefenses. Cybercriminals have exploited these vulnerabilities to deliver ransomware, resulting in a surge of ransomware attacks. In May 2021, one of the largest attacks in history was carried out using the "REvil" RaaS ransomware variant. The "REvil" gang demanded $70 million in ransom to unlock over one million affected devices in an attack targeting managed service provider Kaseya.

During the period spanning from 2021 to 2023, there has been a rise in the involvement of access brokers (IABs) in ransomware attacks. These IABs are individuals who engage in activities by offering access to networks. Ransomware attackers leverage the services of IABs and RaaS groups to enhance the swiftness, efficiency and impact of their operations.

The landscape of ransomware attacks

Why Is ransomware spreading?

Ransomware attacks and their variants are rapidly evolving and spreading more aggressively and successfully, penetrating through security software for several reasons:

  • Easy availability of malware kits that can be used to create new malware samples on demand.
  • Use of known good generic interpreters to create cross-platform ransomware (for example, Ransom32 uses Node.js with a JavaScript payload).
  • Use of new techniques, such as encrypting a complete disk instead of selected files.

Today’s thieves don’t even have to be tech savvy. Ransomware marketplaces have sprouted up online, offering malware strains for any would-be cybercrook and generating extra profit for the malware authors, who often ask for a cut in the ransom proceeds.

Why MSPs and their clients are high-value targets:

MSPs offer a range of services to help organizations with their information technology needs. However, it's important to be aware that cybercriminals might exploit vulnerabilities in the monitoring and management (RMM) software used by MSPs, potentially leading to their accessing sensitive data. This is of great concern, as it puts not only the organization's own private data at risk, but also jeopardizes the security of their customers' information. This makes them high-volume targets.

Understanding ransomware

A brief explanation of what ransomware is: ransomware refers to a type of software that uses encryption to lock a victim's information, holding it hostage. When this happens, users or organizations are unable to access their critical files, databases or applications. The attackers then demand a ransom payment in exchange for restoring access. Ransomware is particularly concerning because it can spread throughout a network and specifically target databases and file servers, causing disruptions for an entire organization. This threat is continuous and has resulted in financial losses and damages for businesses and government entities, with cybercriminals pocketing billions of dollars in ransom payments.

How it infiltrates systems and encrypts data: this malware can infiltrate a system through various channels, including email attachments, social engineering attacks and compromised software, which, of course, is very bad news for all of their users. Once installed, spyware can operate undetected, monitoring a user's activity and sending that data back to the attackers. In this scheme, the server generates a pair of keys; the public key is hardcoded on the ransomware, and for each file, it'll encrypt the file with the server's public key. Only then, with the server's private key, will the victim be able to recover the files.

Expert tips: Pre-attack preparations

Ransomware and other malware attacks have evolved through the years, and have become very hard to prevent and defeat. However, MSPs are well prepared for the dangers posed by ransomware and understand the criticality of having a plan in place to effectively handle attacks when they occur within their client base — before and at the time of the cyberattack.

While there are other aspects to take into account, it is considered standard practice for MSPs to develop a strategy encompassing detection, prevention and response, which is crucial for cutting off the potential damage that this ransomware can cause on your clients' operational systems. To assist MSPs in preparing their clients against threats, we have created an infographic that outlines the journey of ransomware and offers guidance on readiness.

Preventing an attack is not an easy task, as even the most well-prepared businesses can become victims. However, MSPs can take measures to reduce the likelihood of their SMB clients falling victim to the aggressive cyberattacks that are constantly stalking.

Equipping clients with antivirus software remains a component of any effective ransomware prevention strategy. Also explaining to them the importance of using secure web gateways is crucial. While these tools have been around for quite some time, they still play an important role in safeguarding against the majority of potential threats.

Another important step is automating patch management. When software providers identify vulnerabilities or bugs, they release patches to address and fix them as soon as possible. By automating the patching process, businesses become less susceptible to exploitation by actors seeking to take advantage of these vulnerabilities.

Incorporating tools with detection capabilities can also significantly enhance prevention efforts. Often, ransomware attacks manage to infiltrate business systems without detection, but by implementing security tools that can identify and thwart attacks before they spread across networks, overall resilience increases considerably and minimizes the chance of greater damage.

Endpoint security

  • Managing the endpoints of all your clients and ensuring visibility can be quite a challenging task. This is where endpoint security and management solutions truly shine in protecting MSPs against ransomware, zero-day exploits and other types of cyberthreats. Endpoint protection solutions such as endpoint detection and response (EDR) enhance the ability to monitor customer endpoints, effectively reducing the risk of attacks across attack surfaces. They offer both malware and anti-ransomware protection.
  • Having great visibility into endpoints means consolidating data from different tools into a single platform, which enables administrators to promptly respond when clients are targeted by distributed attacks. Strengthening these endpoints with threat detection and response tools not only enhances security but also allows for the early detection of suspicious activities. Moreover, these EDR-generated alerts provide information that helps security experts initiate incident response activities, ultimately saving businesses valuable time and resources.

Backup systems

  • Data backup solutions are essential for protecting the data of MSP customers, because all adversaries have the same goal: to steal, destroy or extract their information. If a breach occurs, losing data can be incredibly frustrating. But by having a reliable solution in place, you can quickly restore your clients' operations.
  • Have peace of mind knowing that important data is accessible to authorized individuals after a security incident. Data protection, backup and recovery measures also improve visibility into all data on customer workloads.

Employee training programs

  • It's important to share tips and advice with users on how they can recognize, identify and avoid potential ransomware attacks. Simply telling your clients and employees to avoid clicking on links isn't enough to protect them from cyberschemes that could jeopardize both end users and business networks.
  • To stay ahead of threats, MSPs and their clients should continuously work on security awareness training. This includes training sessions focused on email security, practicing phishing measures, conducting email tests and raising awareness about common social engineering scams. Following a framework like the one provided by CISA.gov helps organizations ensure they cover all aspects when designing and implementing cybersecurity awareness training programs.

Expert advice on ransomware variants detection

These are the signs every trustworthy MSP should educate its customers to be aware of, and how to recognize early signs of upcoming ransomware attacks. If you notice some of the following, then you will already be one step ahead of dealing successfully with the potential oncoming threat.

  1. Increased phishing attempts: If employees notice a sudden surge in spam emails, it could indicate malicious actors trying to implant malware. Since one person clicking on a link or unknowingly downloading a virus-infected file can potentially infect the entire network, any rise in phishing attempts should raise immediate concerns.
  2. Access alerts: Network administrators may observe an increase in notifications regarding access attempts. Individuals may also receive emails notifying them about someone attempting to reset their passwords. Such access incidents could signal an oncoming ransomware attack.
  3. Virus protection alerts: When a malicious actor tries to place malware on someone's computer, any installed antivirus software may generate alerts and prevent the program from running. Keeping antivirus software up to date is highly recommended, as it serves as a critical line of defense.
  4. Computer slowdowns: Malicious software can disrupt a computer's operating system, resulting in performance problems such as system freezes. If these issues suddenly arise without any reason, it is possible that ransomware is to blame.

Steps for responding to a ransomware attack: Expert guidance

If you suspect a potential, imminent attack, it is crucial to act immediately. Start by scanning your networks to confirm the presence of an attack. Once identified, promptly isolate the infected computer system(s). Take measures to secure data or systems by disconnecting them from the network and ensuring they are free from any malware. These initial steps should be taken when alerted about an attack. Looking ahead, MSPs should prioritize preventing hackers from re-entering your systems.

Removing ransomware and ensuring the security of client data during a cyber incident is made possible through the use of removal and disaster recovery (DR) security tools. These tools allow for the eradication of artifacts and the restoration of client data to a production-ready state. To effectively respond to incidents, it's important to have an incident response plan in place. This plan outlines step-by-step actions for identifying, quarantining and minimizing the impact of an infection. By delegating responsibilities to team members, the efficiency of incident response efforts can be improved.

To protect client data, it is crucial to implement backup and recovery solutions. Regularly backing up data to secure cloud storage or offline environments ensures that valuable assets are kept away from the network in case of an infection. Collaborating with clients and establishing expectations for recovery timeframes, as well as defining recovery time objectives (RTOs) and recovery point objectives (RPOs), is essential.

A thorough investigation into an attack involves analyzing event logs, network traffic and system artifacts. By combining these findings with analysis and threat intelligence, security controls can be enhanced to prevent attacks. Event logs play a role in incident investigations as they provide insights into patterns, trends and anomalies within a system.

Reducing the risk of becoming infected

After recovering from an incident, it is beneficial for service provider technicians and IT security teams to conduct a thorough evaluation. This evaluation helps identify areas that need improvement in the incident response process and highlights any inefficiencies.

It is important to review and update security policies and practices and provide security awareness training to enhance cyber resilience. Additionally, staying informed about emerging trends in ransomware and consistently educating clients on cybersecurity efforts is crucial.

Reporting new threats

Government entities such as CISA.gov offer incident report forms to report undiscovered cyberthreats. Gathering information, as possible about a threat including event logs, indicators of compromise (IOCs) and other insights can be helpful. Collaborating with government entities regarding emerging threats allows the cybersecurity community, service providers and businesses to join forces against cybercrime.

Active Ransomware Infection Removal Techniques: Expert Insights

Here's a guide on how to deal with file encryption ransomware if you ever become a victim of an attack:

Step 1. Disconnect from the internet

To start, make sure you disconnect the infected system from all forms of connectivity, including wired devices. This includes disconnecting drives, any storage media and even cloud accounts. This step is crucial in preventing the ransomware from spreading within your network. If you suspect other areas have been affected, it's important to follow the backup steps for those areas too.

Step 2. Run a scan with your internet security software

Use your installed internet security software to perform a virus scan for ransomware detection. This will help identify any threats that may be present in your system. If any harmful files are detected, you can choose to either remove ransomware files or quarantine them. Antivirus software can assist in removing files, but manual removal should only be attempted by experienced users.

Step 3. Utilize a decryption tool designed for ransomware

If your computer has been infected with ransomware that encrypts your data, you'll need to utilize a decryption tool to regain access to your files. Different professional MSPs develop decryption tools specifically designed to combat these types of attacks.

Step 4. Retrieve your files

If you have made copies of your data on devices or cloud storage, make sure to restore a version of your data that has not been affected by ransomware encryption. If you haven't created any data backups, the process of cleaning and restoring your computer becomes more challenging. To prevent situations like this, it is advisable to create backups. In case you tend to forget these tasks, consider using backup services or setting reminders in your calendar.

Recovery and data restoration after ransomware infection: Expert strategies

The way an organization bounces back after an attack can have an impact on its long-term viability. By having a prepared recovery plan in place, an organization can swiftly return to normal operations.

Reducing the risk of infiltration involves implementing cybersecurity tools and platforms like endpoint security, email security, next-generation firewalls and security awareness training. However, if an organization's system does get infected with ransomware or malicious code, it is crucial for the security teams to detect the infection and promptly execute the recovery plan.

The ransomware recovery plan should cover how the organization prepares for attacks, how to handle an attack and what steps to take afterwards. It should include the following actions:

  1. Backup data continuously.
  2. Implementing an incident response plan specifically tailored for dealing with ransomware.
  3. Utilizing cybersecurity systems to disrupt and thwart the attack.
  4. Restoring systems back to their functioning state.
  5. Maintaining communication with stakeholders throughout the process.
  6. Refining the effectiveness of the recovery plan.

Patch management: Expert recommendations

Here are some important factors to consider when implementing patch management:

1. Clearly define expectations and hold teams accountable and informed. It's crucial to establish service level agreements that help keep teams on track and ensure that the necessary risk reduction work is being carried out.

2. Foster collaboration with teams to establish a clear understanding about the things happening every second. Security teams may refer to software errors as "risks, " while IT / DevOps teams might use the term "patch." It's essential to ensure that everyone is aligned and recognizes the significance of patching in order for the patch management process to be successful.

3. Develop a disaster recovery plan; In case the patch management process encounters failures or issues it's always wise to have a plan in place.


Ransomware attacks are surging and affecting far too many sectors, including government, manufacturing, healthcare, finance and education. After COVID-19 lockdowns, the explosive rise in ransomware attacks has become a pandemic of its own. As these kinds of threats are expected to remain high priorities for all businesses, investing in a pragmatic cybersecurity ecosystem ensures that your overall strategy is robust yet streamlined.

Preventing ransomware is always preferred rather than remediating it, but that’s easier said than done. Investing in a reliable, industry-leading cybersecurity and backup solution can identify, detect and respond faster to suspicious activity and is well worth the investment.

You have to find the best MSP to deliver integrated security, backup, disaster recovery and management in a single solution. The solutions leverage AI-based anti-malware and anti-ransomware to provide unmatched cyber protection, reducing operating costs and increasing profitability.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.