August 29, 2023  —  Acronis

Understanding the most dangerous types of ransomware for MSPs

Acronis Cyber Protect Cloud
for Service Providers

For businesses of all sizes, the managed service provider (MSP) plays a critical role in carrying out all IT security responsibilities. For years, the proliferation of ransomware attacks posed a global threat to organizations and these perpetual threats have made it imperative MSPs pay closer attention to increasingly sophisticated and targeted ransomware infections aimed at their clients’ data. This article seeks to bring awareness to today’s most prolific ransomware targeting MSPs, to highlight the risks related to ransomware, and to share steps toward effective migration strategies against such breaches.

What are the top types of dangerous ransomware?

As a partner and an extension of their clients’ teams, MSPs are obligated to manage and secure their clients’ security infrastructure holistically. Gaining insights in and staying ahead of the latest ransomware trends, best practices and mitigation strategies, helps strengthen an MSP’s services and adds an extra layer of value to services they bring to their clients.

Here are a few top ransomware types afflicting service providers and businesses:


Crypto-ransomware, often known as cryptomalware, is a prevalent type of malware that encrypts data on the victim's device and then demands money in exchange for its decryption. Cryptomalware discreetly searches for cryptocurrencies on the user's device in addition to stealing data. Cryptomalware may be camouflaged as trustworthy software to operate covertly.

Cybercriminals use creative methods to introduce ransomware infections into client and service provider networks, such as distributing crypto-ransomware through an email infected with a malicious link, stealing accounts and exploiting software vulnerabilities.


In a scareware attack, the infection masquerades as a legitimate security antivirus prompt or pop-up notification. Once it’s infiltrated a victim’s system, it displays fake scan results and alarming messages. The user is tricked into believing their machine is under attack and are intimidated into believing they should purchase the pop up’s illegitimate security product.

Scareware operates via social engineering techniques, creating a sense of urgency and desperation on the end user. These attacks target employees within organizations leading to financial losses and operational disruption if infection is successful.

Locker malware

A kind of malware known as "locker ransomware" encrypts the victim's data and locks them out of their own computers before demanding a ransom to unlock them. This type of ransomware encrypts user data, systems or devices and prevents the user from accessing such files, systems or devices. A ransom notice appears on the victim's screen after it has been encrypted and instructs the victim with details on how to pay the ransom.

RaaS (ransomware as a service)

RaaS, also known as ransomware as a service, involves malware criminals who sell tools or software to potential or real attackers who wish to use their capabilities to target MSPs. RaaS attackers don't need extensive coding or programming skills, and it costs less money to launch attacks. Unlike traditional malware, RaaS hackers may carry out more breaches faster and with fewer resources since cybercriminals don't create ransomware from scratch. RaaS enables even those without a technology background to become hackers.


The most prolific ransomware groups in 2023

The rise of prolific ransomware has not only posed risks to businesses, but to service providers themselves. An intrusion can result in severe consequences, such as service disruptions and lost revenue. Every MSP recognizes the gravity of this threat and the cruciality of proactive ransomware risk mitigation. The following sections dive into various ransomware strains most prevalent among modern MSPs.


In 2021, REvil ransomware affected a well-known IT management solution, impacting the networks of dozens of MSPs and their customers all around the world. In order to spread ransomware downstream to thousands of MSP clients, attackers leveraged a vulnerability in servers, which REvil exploited. By gaining access to solution’s program, the attackers were able to disable administrator access and release a malicious update which infected users with ransomware.

Since the REvil ransomware attack, MSPs and companies have improved their cybersecurity infrastructure, including reevaluating their detection tools and switching to sophisticated behavior-based detection programs like Acronis Cyber Protect, which detects "living off the land" adversarial techniques such as those used in the REvil attack.

To learn more about REvil, continue reading the press release from U.S. Department of Justice or watch our video from Acronis Cyber Protection Operations Center News.


ALPHV or BlackCat, is a strain of ransomware as a service that was first observed in 2021. The infection targets businesses and MSPs using triple-extortion tactics which evolved from the common double-extortion tactics employed in traditional attacks. In BlackCat triple extortion, the ransomware group adds the threat of a distributed denial-of-service (DDoS) attack if the original demands aren’t met. To add a layer of complexity, BlackCat creators switched to the Rust programming language in 2022, giving the ransomware more opportunities for customization and impeding detection and analysis of traditional cyber protection solutions.

Watch our video created by Acronis cybersecurity experts to learn more about BlackCat/ALPHV and how to prevent it.


A particularly dangerous threat discovered in 2019, Lockbit ransomware combines encryption-based attacks with data theft and extortion tactics. Once it infiltrates an MSP’s network, the ransomware steals sensitive data prior to encrypting it, allowing the threat actors to threaten the victim with the sale or publication of their stolen information. Lockbit puts enormous pressure on MSPs and their clients to pay the ransom using a dual-pronged approach. MSPs are an increasingly attractive target for Lockbit, enabling bad actors to gain wider access to multiple businesses through a single point of entry. This allows Lockbit to cascade the infection and impact victims en masse worldwide.

The impact of ransomware on MSPs

When an MSP falls victim to ransomware, the repercussions have a rippling effect across their client base, resulting in large-scale impact on both the service provider and their clients. The greatest consequences of a ransomware attack include lost revenue, wasted time, data loss and reputational harm.

To stress the importance of implementing effective mitigation strategies against these cyberthreats, let’s dive into the most common challenges MSPs experience following an attack.


In the aftermath of an intrusion, one of the most immediate and tangible consequences is loss of revenue for the MSP. Typically, MSPs work on a subscription-based model in which their clients pay a recurring payment for ongoing support and IT management services. For instance, when the MSP’s systems are compromised with ransomware, it can significantly disrupt the quality and level of service they deliver to their clients. This disruption leads to operational downtime and subpar experiences for clients, resulting in financial damages.


Responding to and recovering from ransomware exhausts copious amounts of time and resources for the MSP. Incident investigation and response, isolating affected assets, restoring backups and improving critical security measures are all time intensive and expensive processes taken on by the MSP, once they are hit with ransomware. These activities require thorough, comprehensive attention and divert focus from the MSP technician’s regular operations. Having to refocus on the imminent threat can cause an MSP to slip up in the quality of services they provide.

Data loss

Beyond financial and operational damages, the loss of compromised client data is a severe repercussion of a ransomware infection. Clients trust their MSP to secure and manage their IT environments and rely on their MSP to protect critical data, such as intellectual property, customer personal information and propriety data. If data has fallen into the wrong hands, this could mean hefty regulatory fines, legal liabilities and further damage afflicting the reputation and credibility of both the MSP and the afflicted client.

Reputational damage

As aforementioned, reputational damage is a consequential challenge that plagues MSPs stricken with ransomware. In competitive markets, MSPs can’t afford to lose existing clients or face mounting struggles to attract new ones due to concerns about their security measures and ability to mitigate ransomware. The impact of a ransomware attack erodes trust and loyalty between MSPs and their clients — leading to poor market standing and diminishing client retention.

How MSPs can mitigate modern ransomware and build cyber resilience

The old adage, “an ounce of prevention is worth a pound of cure” is an idea that cybersecurity industry professionals adopt and use widely when building organizational cyber resilience. Ransomware prevention, protection, response and recovery — in its entirety — is crucial to the success of an MSP.

Here are a few tips to prevent, mitigate and recover from ransomware attacks as an MSP:

Ransomware prevention

Security awareness training is of top importance when it comes to ransomware prevention and educating clients and their employees about the risks associated and teaching them actionable and easy-to-follow best practices to identify potential threats and avoid infection. Through promoting an organization-wide culture that puts cybersecurity awareness at the forefront, employees can be the first line of defense against social engineering and phishing tactics — email security related breaches that are primary methods used to infiltrate and distribute ransomware. When end users are better equipped to recognize, report and avoid potential malicious activity, both MSPs and clients are less likely to fall victim to these scams.

Regularly conduct vulnerability assessments and patching

Consistent vulnerability assessments and patching are essential steps toward improved ransomware prevention and building enhanced cybersecurity maturity. Service providers should schedule regular vulnerability assessments to identify the high priority vulnerabilities in software, systems and applications posing risks to their security posture. Ransomware actors exploit these vulnerabilities and MSPs should regularly apply patches to these flaws to avoid unnecessary exposure.

Upgrade endpoint detection and response solutions

Endpoint detection and response (EDR) solutions like Acronis Advanced Security + EDR, lets MSPs gain advanced visibility into their clients’ attack surfaces. This added visibility simplifies endpoint security activities and positions MSPs to detect, identify, respond to and remediate cyberthreats faster for their clients. EDR supports healthier business continuity by mitigating and eradicating ransomware threats before they cause disruption.

Acronis Advanced Security + EDR is an integrated solution which combines industry-leading cybersecurity, backup and recovery capabilities in a single agent. To learn more, request a demo.

Implement robust backup and disaster recovery solutions

Comprehensive backup and disaster recovery solutions implemented by the MSP can ensure critical data and systems can be quickly restored in the event of a cyber incident. Regularly backing up and securing data off-site provides an added layer of safety in case of compromise.

Key takeaways: Benefits of enhancing ransomware protection for MSPs

Ransomware protection has become an integral part of cybersecurity for managed services providers. Through the implementation of robust ransomware solutions, MSPs can safeguard their clients’ data from modern attacks. This not only protects their clients’ businesses, but also offers benefits for the MSP, including the following:

Saves time

A primary advantage of effective ransomware protection for MSPs is saving time. Anti-ransomware can significantly reduce time and effort spent on remediating malware. Features such as automated threat detection, real-time monitoring and rapid incident response allow service provider technicians to identify and mitigate ransomware attacks swiftly. With a streamlined approach, service providers can save valuable time and resources that could be better spent on refocusing strategic initiatives and serving clients.

Enhances productivity and efficiency

Strong ransomware protection measures help MSPs increase overall productivity. Reducing the likelihood of ransomware attacks ensures there is minimal disruption to service, data loss and downtime for both the MSPs and their clients. Through mitigating the risk of ransomware intrusions, MSPs can maintain seamless operations, deliver uninterrupted services and efficiently manage their clients’ IT security infrastructure. The result is strengthened productivity, client satisfaction and enhanced reputation in the industry.

Strengthens competitive advantage and profitability

Negative repercussions in wake of a ransomware attack can have devasting consequences, leading to financial losses, legal troubles and reputational harm. By providing advanced ransomware protection, service providers can position themselves as a trusted partner who helps clients avoid these damages. Powerful anti-ransomware solutions give MSPs the competitive edge to drive added value to their services and attract new clients, leading to more upsell opportunities and accelerating the growth and profitability of the MSP.

Builds customer retention

Positioned as experts in ransomware prevention, protection and response, MSPs can set themselves apart from competitors and tap into new, growing market demand. Once seen as trusted advisors, MSPs are able to build long-lasting relationships with their clients.


By incorporating proactive preventative measures, MSPs can effectively mitigate ransomware threats on their clients and stay ahead of breaches. Establishing a strong cyberdefense strategy that takes a layered approach to security helps MSPs and their clients maintain business continuity in the face of rapidly changing ransomware threats. Through advanced security tools, like Acronis’ EDR solution, MSPs take advantage of increased critical visibility and enhanced threat detection in real time, which gives them the competitive edge to catch and respond to suspicious activity more rapidly than traditional solutions. This benefit empowers MSPs to defend their clients against modern ransomware attacks, streamline incident response activities and continue providing a high-level of service for their clients.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.