August 29, 2023  —  Acronis

How to protect against cloud-based ransomware attacks as cloud-first MSPs

Acronis Cyber Protect Cloud
for Service Providers

Staying ahead of modern ransomware has remained a constant for managed service providers (MSPs) and the businesses they protect. The challenge to maintain network visibility is mounting, especially in the cloud. MSPs must adopt cloud computing technology at the same rate as their clients.

A growing number of IT professionals are shifting to a cloud-first approach. Cloud solutions offer several benefits for MSPs, and switching to a cloud-first model can deliver a better client experience. From improving flexibility to lowering costs, the cloud can be a valuable tool to streamline your MSP business and work with existing on-premises processes.

But there are a few caveats. Cloud environments are data-rich epicenters that are an increasingly attractive target for cybercriminals behind cloud ransomware attacks.

In this article, you’ll learn how to prevent cloud-based malware like RansomCloud, what to consider before becoming a cloud-first MSP, and how to equip yourself against cloud ransomware threats.

What are cloud-first managed service providers?

Simply put, MSPs that take a cloud-first approach move services to the cloud wherever possible. A common misconception is that the cloud-first strategy does not mean “cloud only.” Many MSPs choose a cloud-first strategy for operational and functional benefits, including better flexibility, cost efficiency, faster setup, automated capabilities and improved accessibility ― allowing their business to scale.

Though there are many advantages to a cloud-first MSP approach, cloud adoption comes with several disadvantages. Shifting services to cloud environments impedes an IT technician’s visibility over attack surfaces, and your cyber risk increases with mounting challenges related to monitoring and protecting infrastructures ― both on-premises and in the cloud.

Why is cloud ransomware protection important for MSPs?

According to statistics, three out of five MSPs have had to deal with a ransomware attack on their SMB clients in the last year. Adversaries understand MSPs are moving services to the cloud and progressively target service providers who are still implementing solutions to gain visibility and protect their cloud environments.

Also, according to a recent study, 89% of small businesses would consider hiring a new MSP if they offered the right security solution. Any ransomware intrusion on your watch could harm client retention and your reputation, but ensuring that necessary cloud ransomware protection practices are in place reduces the risk of a breach.

A few easy best practices your MSP should implement include:

  • Enabling multifactor authentication
  • Setting strong passwords
  • Deploying firewalls
  • Encrypting data
  • Scheduling regular patching

Why do cybercriminals target cloud-first MSPs?

Transitioning to the cloud can create security gaps cybercriminals use to thwart security infrastructures. Here are a few reasons cloud-based ransomware criminals target service providers:

Lack of, or loss of visibility

Legacy security solutions traditionally don’t support the protection of cloud workloads. In some cases, separate tools are employed to gain critical visibility into cloud environments. But with so many products in play, IT security technicians struggle to keep up with high alert volumes and must juggle between siloed tools to assess cyber events. Valuable threat intel and key findings end up getting lost in the shuffle. Knowing most security infrastructures face challenges monitoring the cloud, adversaries take advantage of blind spots which limit a service provider technician’s ability to control security and result in failure to alert security teams when an incident occurs.

This is where tools like extended detection and response (XDR) help security technicians bolster visibility in the cloud and monitor suspicious activity beyond endpoint attack surfaces ― providing contextual alerts on all cyber events in one place.

Ransomware introduction by the end user

Intrusions introduced at the end-user level, misconfigured vulnerability policies or missteps in taking security measures, are all common ongoing challenges many small businesses face in today’s threat landscape. Cloud ransomware groups see end users as the weakest link in a company’s security posture, making them appealing targets for an intrusion. Threat actors are willing to bet on human slipups to gain initial access and steal account credentials.

Security gaps and unpatched vulnerabilities

Simple measures are sometimes overlooked, which creates hidden security gaps in networks that threat actors seek to exploit. Unsophisticated cloud ransomware attacks exploit publicly known common vulnerabilities and exposures (CVEs) that require few resources and effort to carry out. Any unpatched software vulnerabilities become an easy and desirable target for cybercriminals. Not only will they capitalize on open, known vulnerabilities, but they will likely attack again in the future if they anticipate your client conducts vulnerability and patch scanning irregularly.

Factors contributing to the increase in cloud ransomware attacks

March of 2023 broke ransomware records as one of the most prolific months recorded by cyber protection analysts in the last few years ― a shocking increase of 91% compared to the previous month (February 2023), and a 62% increase month over month (March 2023 versus March 2022).

Several aspects are fueling the rise of ransomware. Let’s dive into the factors behind cloud ransomware threats.

The shift to remote work

In the McKinsey American Opportunity Survey, 58% of Americans reported having the option of working from home at least one day per week. Remote work models are a nationwide adoption and a worldwide change. Adversaries understand it’s more challenging to protect remote machines than on-premises ones, and pursue ways to deceive unassuming users primarily focused on completing their day-to-day operations.

The rise in cloud adoption

Service providers continue to adopt the cloud to improve IT infrastructure and operations. However, most small businesses lack the expertise to manage cloud environments, coupled with time and resource constraints. Unequipped to handle cloud infrastructure, small businesses face inefficient protection, greater security vulnerabilities and additional downtime issues. MSPs play a vital role in helping SMBs overcome these challenges to maximize the value of the cloud, and have the expertise to guard cloud landscapes.

The upsurge of ransomware as a service (RaaS)

RaaS attackers use few resources and don't need sophisticated coding or programming skills to launch cyberattack campaigns. RaaS hackers may carry out breaches fast and on a low budget since they don't need to construct malware from the start.

With RaaS threats rising, service providers face a growing concern about protecting client data in the cloud. The ease of RaaS attacks threatens cloud environments by letting anyone with varying skills, expertise and experience, create and execute ransomware.

Understanding cloud ransomware attacks and how ransomware infects cloud storage

Ransomware groups target the cloud seeking out vulnerabilities within storage repositories to gain unauthorized access to critical data. Ransomware attacks, like the one on a popular cloud computing provider in 2022, impacted twenty-seven clients whose personal accounts were compromised. The hackers exploited the company’s Hosted Exchange email environment, accessing PST files used to store backup and archived copies of emails, calendar events and email contacts. As demonstrated, threat actors are willing to invent creative, daring and unconventional ways to breach organizations.

As businesses store more assets in the cloud, attackers are increasingly attracted to a wealth of cloud data, likely resulting in a larger prize if successfully breached than an on-premises attack. Drawing the attention of attackers, the cloud offers multipurpose capabilities, including the use, storage and transmission of data. These transactions among in-house and external parties make it harder for security IT teams to stay aware of and monitor data shifting between these states.

In order to prevent, protect and mitigate against cloud ransomware attacks, we must understand how cloud intrusions divulge. Let’s break down how cloud ransomware works, types of ransomware attacks and their common targets.

How cloud ransomware works

Cloud ransomware is a malware attack involving cloud services, applications and environments. In a cloud ransomware intrusion, the attacker corners the intended victim by gaining unauthorized access to sensitive data, encrypting files and asking for a ransom. The attacker threatens to expose or sell the valuable assets if the victim refuses to pay.

Types of cloud ransomware attacks

Ransomware in the cloud can be categorized into two types: ransomware infection by file sharing and ransomware targeted at cloud vendors. Let’s dive into each:

Infection by file sharing

In this type of attack, ransomware infects a business or entity using a file-sharing service synced to a cloud platform. The intrusion first encrypts files stored on the victim’s local machine and then spreads to their cloud repository, continuing to encrypt valuable data. The data is scrambled and a ransom is instated in exchange for its decryption.

Intrusion through targeting cloud vendors

Unlike file-sharing cloud ransomware, targeted cloud vendor attacks directly impact the service provider. A successful breach allows hackers to encrypt data in the cloud at scale, extending a larger radius of widespread disruption. Targeting the cloud service providers themselves is an appealing strategy for threat actors, who can assume that at least one of the affected organizations using the cloud service will likely pay the ransom.

Common targets of cloud ransomware infection

Ransomware groups like to target MSPs and businesses alike, based on the following criteria:

Service providers and companies that are:

  • Rich with personal information, intellectual property or valuable data
  • Perceived to have low security maturity
  • Security teams that are resource and time constrained

The consequences of a cloud ransomware breach

Recovering from ransomware attacks can cost millions. According to IBM, a data breach in the U.S. costs on average $9.44 million. Not only does ransomware inflict financial harm on MSPs, but reputational damage as well ― destroying client relationships and retention.

Any disruption in business continuity from a ransomware attack slows down your team’s performance and productivity. Ensuring your current cyber protection solution is equipped to not only catch cloud ransomware, but fully recover your client, is the key to staying ahead of such threats.

Check out Acronis Advanced Security + EDR to learn more about integrated cybersecurity with single-click recovery.


What is RansomCloud?

In this World Economic Forum report, widespread cybercrime and cyber insecurity are among the top ten global risks in 2023. Staying ahead of the latest cloud ransomware attacks, like RansomCloud has become increasingly important.

RansomCloud is a new kind of cloud ransomware intrusion that uses phishing techniques to compromise email accounts, targeting cloud-based email services, like Microsoft 365.

How is RansomCloud deployed?

Like traditional business email compromise (BEC) attacks, RansomCloud actors attempt to gain access to email accounts, encrypt emails and demand ransom. But what sets RansomCloud apart is its expanded area of attack due to the influx of remote work and organizational dependence on email workflows.

Main RansomCloud attack vectors

Due to the ease of connection to cloud environments, bring you own device (BYOD) and remote machines are more susceptible vectors of cloud ransomware incidents.

How can MSPs protect clients from RansomCloud and prevent other cloud-based ransomware attacks

By the time security teams recognize the indicators of compromise (IOCs) of RansomCloud and other cloud ransomware attacks, the damage has been done. Following an industry-leading framework like the one provided by NIST is fundamental to ensuring all your cyber protection bases are covered. The NIST Cybersecurity Framework helps organizations start or improve their security posture through organizing cyber protection into five functions: Identify, Protect, Detect, Respond and Recover.

The following security measures support the framework and reduce your risk of RansomCloud and cloud-based ransomware attacks:

Email security: Malware, phishing and social engineering awareness training

Email security solutions block threats, including phishing, BEC, advanced persistent threats (APTs) and malware, eradicating harmful emails before they reach the end user. Proactively blocking threats before they reach the user is your client’s best shot at mitigating cloud ransomware.

Educating end users and keeping security awareness fundamentals top of mind is one of the most effective ways to prevent cloud ransomware on small businesses. Phishing awareness training informs your clients and their staff of the dangers of phishing and provides them with the tools they need to recognize and report phishing attempts. Initial training can be in the form of a video, written document, company-wide meetings or a combination of this list.

Schedule regular vulnerability assessments and patching

To reduce open vulnerabilities that ransomware might exploit, keep cloud apps, services and infrastructure updated with the most recent security patches. Staying ahead of patch management assures operations remain uninterrupted, and keeps software and applications up to date, and supports system uptime and adherence to regulatory compliance.

Endpoint Protection (EPP)

Next-gen endpoint protection products, like Acronis Endpoint Security, often include anti-ransomware capabilities. Ensuring your client has the highest level of visibility over all their endpoints helps mitigate the risk of ransomware incidents. Should RansomCloud or cloud ransomware spread at the endpoint level, security teams should have the integrated cybersecurity tools to identify, protect, detect, respond and recover from any ransomware intrusion.


Data Loss Prevention is a valuable tool to protect personally identifiable information (PII), confidential information and other high value data assets. In the event of a cloud ransomware attack, DLP expands your service technology stack and reduces the risk of critical data loss, helping your clients regain control and protection of company crown jewels.

Secure backup and expedited recovery

Regular and frequent backups safeguard assets from total wipeouts caused by a ransomware attack. Backup protection helps clients protect their data proactively and prevent data loss. In addition to recovery efforts, leveraging tools such as ransomware rollback, enables MSPs to quickly restore client files to a pre-ransomware state, allowing businesses to continue normal operations, reduce downtime and mitigate financial losses.

Disaster recovery (DR) solutions rapidly recover client workloads or services in the event of a ransomware incident. DR products allow businesses to secure their data, swiftly return to a production-ready state and save valuable organizational time.


A cloud-first approach could take your MSP business to the next level, delivering fast services and improved client operational performance. The key takeaway is setting up safeguards and security measures to proactively protect cloud services and prevent ransomware events in the cloud ― both on the MSP front and in your clients’ cloud infrastructure, is essential to reach the cloud’s full value for your MSP’s productivity, growth and business continuity. Implementing best practices and utilizing cutting-edge cybersecurity solutions, like those provided by Acronis, keeps you up to date on the most recent threats and developing ransomware trends.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.