Ransomware attacks and MSPs: Prevention, response, and recovery guide

• Ransomware was present in 44% of all confirmed breaches in 2025—up 37% year over year—and featured in 88% of SMB breaches (Verizon 2025 DBIR)

• Average ransomware recovery costs (excluding the ransom payment) reached $2.73 million in 2024, a 50% increase from the prior year (Sophos State of Ransomware 2024)

• The FBI identified 67 new ransomware variants in 2024; Akira, LockBit, RansomHub, FOG, and PLAY were the most active (FBI IC3 2024)

• Ransomware victims who involved law enforcement saved an average of nearly $1 million in breach costs and 63% avoided paying a ransom (IBM Cost of a Data Breach 2024)

• MSPs are disproportionately targeted because their privileged access to client environments allows ransomware operators to reach multiple victims from a single intrusion

• Immutable backups, a tested ransomware incident response plan, and behavioral endpoint detection are the most effective defenses MSPs can deploy for clients

Ransomware attacks continue to rise in volume and severity. According to the FBI's 2024 Internet Crime Report, ransomware complaints increased 9% year over year, with Akira, LockBit, RansomHub, FOG, and PLAY identified as the five most active variants—and 67 new variants identified during 2024 alone. For MSPs managing cybersecurity on behalf of business clients, understanding how ransomware works and how to respond when it strikes is foundational to delivering secure, resilient managed services.

Ransomware is malicious software designed to deny access to systems or data until a monetary demand is met. Once ransomware operators penetrate a network—typically through phishing, stolen credentials, or exploited software vulnerabilities—they move laterally across connected systems, encrypt critical files, and present victims with a ransom note demanding payment in cryptocurrency.

According to the Verizon 2025 Data Breach Investigations Report (DBIR), ransomware was present in 44% of all confirmed breaches—a 37% increase from the prior year. The impact on smaller organizations is particularly severe: ransomware featured in 88% of breaches at small and medium-sized businesses (SMBs), compared to 39% at large enterprises. MSPs are high-value targets specifically because their privileged access to multiple client environments allows ransomware operators to reach many victims from a single point of entry.

The financial stakes reflect this reality. According to the Sophos State of Ransomware 2024 report, the average cost of recovering from a ransomware attack—excluding the ransom payment—reached $2.73 million, a 50% increase from 2023. Average ransom payments increased fivefold year over year to $2 million, with 63% of all ransom demands exceeding $1 million.

MSP ransomware attacks generally fall into a few distinct categories, each with its own delivery mechanism and behavior.

Crypto-ransomware (also called cryptomalware) is the most prevalent form of ransomware targeting MSPs and their clients. Ransomware operators deliver crypto-ransomware through malicious email links, account hijacking, or exploited software flaws. Beyond encrypting files, many modern crypto-ransomware strains also exfiltrate sensitive data before encryption begins—enabling a secondary extortion threat even if the victim restores from backup.

Locker ransomware denies victims access to their systems entirely—locking the screen or operating environment rather than individual files. Ransomware operators use time pressure and fear in their ransom demands, threatening to permanently destroy data if payment is not made within a stated deadline. Locker ransomware commonly reaches victims through phishing emails, malicious downloads, or operating system vulnerabilities.

RaaS platforms allow ransomware operators to license malware to affiliates, dramatically lowering the technical barrier to launching attacks at scale. Groups such as LockBit, RansomHub, and Akira operate under this model and have actively targeted MSPs as a launchpad for multi-client attacks. CISA and the FBI recommend that MSPs monitor for indicators of compromise (IOCs) associated with active RaaS groups.

Understanding the entry points ransomware actors use helps MSPs prioritize their defenses across client environments.

Phishing remains one of the primary initial access vectors for ransomware. According to the Verizon 2024 DBIR, phishing accounted for 15% of all data breaches, with the median time for a user to fall for a phishing email measured in under 60 seconds. Social engineering—which includes pretexting, impersonation, and business email compromise (BEC)—expands this attack surface by exploiting human behavior rather than technical flaws.

Vulnerability exploitation is a rapidly growing initial access vector. The Verizon 2024 DBIR found that exploitation of software vulnerabilities accounted for 14% of all breaches, a 180% increase from the prior year, driven primarily by ransomware actors targeting unpatched systems and zero-day vulnerabilities. Prompt patch management is one of the most effective mitigations MSPs can implement across client environments.

As MSPs migrate client workloads to cloud environments, ransomware operators follow. Cloud compromise occurs when threat actors gain unauthorized access to cloud-based storage or services—encrypting data and blocking authorized access. A single compromised MSP credential with cloud management rights can expose multiple client environments simultaneously.

The FBI, CISA, and the IBM Cost of a Data Breach 2024 report all advise against paying the ransom. According to IBM's research, ransomware victims who involved law enforcement saved an average of nearly $1 million in breach costs compared to those who did not—and 63% of those who worked with law enforcement avoided paying a ransom entirely. When a ransomware attack is detected, MSPs should act on the following steps immediately.

Disconnect infected devices and systems from the network at once to prevent ransomware from spreading to additional client endpoints. Ransomware is designed to propagate quickly, and speed of containment directly limits the scope of the incident.

Compile a list of all affected systems, accounts, and client environments. Build a timeline of events: which systems were infected first, how the infection spread, and what accounts were compromised. This information is essential for incident response coordination and for forensic analysis after the incident is contained.

Ransomware operators routinely target backup systems to eliminate the victim's ability to restore without paying. MSPs should isolate backup environments from infected infrastructure immediately and verify backup integrity before attempting any restoration.

Enable real-time behavioral protection across unaffected endpoints. Apply relevant patches to close the entry point used by the attacker. Block known ransomware command-and-control communications and isolate systems not critical to the containment effort.

Report the ransomware incident to the FBI via IC3.gov and consult CISA's ransomware advisories and guidance library. The MITRE ATT&CK framework provides detailed mappings of ransomware tactics, techniques, and procedures (TTPs) that can accelerate investigation and response. Law enforcement agencies have developed decryption tools that have helped victims recover without paying a ransom.

Effective ransomware recovery depends on decisions made before an attack occurs, not after.

A documented ransomware incident response plan assigns clear responsibilities to technicians, outlines step-by-step containment and recovery procedures, and defines escalation paths. MSPs should test this plan through regular tabletop exercises so that response is procedural, not improvised, when an actual ransomware attack occurs.

Immutable, air-gapped, or offsite backups are the most reliable recovery mechanism in a ransomware scenario. MSPs should maintain regular backup schedules for client data, test restoration procedures routinely, and establish clear recovery time objectives (RTOs) and recovery point objectives (RPOs) with each client before an incident occurs—not during one.

Gather event logs, network traffic records, and endpoint artifacts to reconstruct the full attack chain. A post-incident evaluation identifies gaps in the response and informs updates to security controls, incident response procedures, and client security awareness training.

CISA and the FBI's IC3 accept reports on new and emerging ransomware variants. Reporting helps the broader cybersecurity community track active threats and develop countermeasures. MSPs that encounter unfamiliar ransomware behavior should document indicators of compromise (IOCs) and submit them to appropriate agencies.

Preventing a ransomware attack is always preferable to remediating one—but effective prevention requires layered, integrated defenses.

Acronis Cyber Protect Cloud delivers integrated cybersecurity, backup, disaster recovery, and endpoint management in a single platform purpose-built for MSPs. The solution combines AI-based anti-malware and anti-ransomware with behavioral detection, immutable backups, and automated recovery—enabling MSPs to detect, contain, and recover from ransomware attacks without managing multiple point products or switching between consoles.

For MSPs seeking advanced threat visibility, Acronis Advanced Security + EDR provides continuous endpoint monitoring, AI-guided attack chain analysis mapped to MITRE ATT&CK, and single-click incident response that includes integrated data recovery. MSPs can investigate and remediate sophisticated ransomware attacks in minutes rather than hours, even with lean security teams.

Should you pay a ransomware ransom?

The FBI, CISA, and most cybersecurity practitioners advise against paying. According to the IBM Cost of a Data Breach 2024 report, ransomware victims who worked with law enforcement saved nearly $1 million in breach costs on average, and 63% avoided paying a ransom altogether. Paying does not guarantee full data recovery and may signal to ransomware operators that the victim is willing to pay again.

How do MSPs recover from a ransomware attack?

Effective recovery requires preparation before an attack occurs: immutable or offsite backups, a documented ransomware incident response plan, and pre-agreed RTOs and RPOs with each client. During an active incident, MSPs should contain affected systems, restore from clean backups, and conduct forensic analysis to identify and close the entry point used by the attacker.

What ransomware variants are currently most active against MSPs?

According to the FBI's 2024 Internet Crime Report, the five most reported ransomware variants in 2024 were Akira, LockBit, RansomHub, FOG, and PLAY. RaaS groups operating under the LockBit and RansomHub models specifically target MSPs because their centralized access makes them an efficient launchpad for multi-client attacks.

Why do ransomware operators target MSPs?

MSPs provide centralized IT services—often with elevated privileges across client systems—to many organizations simultaneously. A single successful intrusion into an MSP can give ransomware operators access to dozens or hundreds of downstream client environments, maximizing impact from a single point of entry.

How can MSPs prevent ransomware attacks on client environments?

Key prevention measures include: prompt patching of software and operating systems; behavioral-based endpoint detection and response (EDR) across all client endpoints; multi-factor authentication (MFA) on all accounts with administrative access; regular security awareness training to reduce phishing exposure; immutable backups tested routinely for restoration; and continuous monitoring of IOCs published by CISA and the FBI.