November 13, 2023  —  Acronis

The Ultimate MSP Guide to Ransomware Protection and Recovery

Acronis Cyber Protect Cloud
for Service Providers

From phishing to zero-day attacks, today's cyber threats continuously evolve to target various organizations and businesses. Modern MSPs must invest additional time, effort, and resources to safeguard client networks proactively. Otherwise, a ransomware attack may easily infiltrate a poorly protected environment and wreak havoc indefinitely.

For both businesses and MSPs, implementing the highest tier of ransomware protection is critical to ensure growth, success, and business continuity.

This article presents a comprehensive guide for MSPs on prevention, detection, and recovery from ransomware attacks.

Why Are Ransomware Attacks Emerging?

We've seen a rise in ransomware attacks in recent years due to numerous factors. Let's explore the most common ones below.

  • Remote Work environments

Since COVID-19, the increase in remote work and hybrid environments has spiked, thus expanding the attack surface. Having employees connect to the company network from different devices and locations via Remote Desktop Protocol provides attackers with significantly more entry points.

  • Ease of deployment

Cyber-criminals can both offer and purchase readily available ransomware kits and ransomware-as-a-service (RaaS) tools on the dark web. Such offerings simplify the hacking process for both seasoned and less experienced malicious parties, making it easier to launch a full-on attack.

  • Phishing emails and Social Engineering

Phishing emails and social engineering campaigns are among the most common gateways for ransomware attacks. These tactics exploit human error in uneducated users to gain access to corporate systems and networks.

Phishing typically relies on a malicious email attachment (or link) to trick users into downloading ransomware on their devices. It can then spread to other files, systems, and even the entire corporate network.

  • Cryptocurrency payments

Nowadays, ransomware payments are usually demanded in various cryptocurrencies (e.g., Bitcoin) to provide attackers anonymity. Crypto transactions are near-impossible to trace, making it challenging for law enforcement to identify, detect, and apprehend the perpetrators.

  • Supply Chain attack potential

Modern enterprises rely on numerous third-party vendors, service providers, and software. Culprits may compromise any of the above to leverage trusted relationships into infiltrating a target system.

  • Profitable industry targets

Potential targets for ransomware attacks are industries and organizations likely to pay substantial ransom, such as government, healthcare, and financial institutions.

  • Unpatched software vulnerabilities

Many companies globally tend to neglect cybersecurity hygiene as part of their data protection strategy. Cybercriminals can target known vulnerabilities in software or apps that haven't been patched or updated to infiltrate a computer system.

  • Evolving threats

Attackers continuously refine their tactics, techniques, and procedures (TTPs) to adapt to evolving cybersecurity means and avoid detection. Highly sophisticated ransomware variants can take months to plan but maximize the success rate and can significantly damage an unprotected network.

  • Ransomware-as-a-Tool

Nation-state actors can use ransomware for strategic and political purposes to disrupt critical infrastructure in rival nations.

Organizations must understand the threat of ransomware attacks and treat it accordingly. To mitigate the risk of a devastating attack, SMBs and enterprises should prioritize various cybersecurity features to fortify their defenses.

Reliable backup and recovery processes, ASAP automated patching and updates, employee training on cybersecurity awareness, and multi-factor authentication (MFA) are critical implementations to block ransomware attacks. Moreover, organizations should consider employing intrusion detection and prevention systems (IDS and IPS), endpoint protection, proactive threat hunting, AI-powered threat intelligence analysis, etc.

Lastly, companies must take the time to create a comprehensive incident response plan to respond swiftly and efficiently to a potential ransomware infection.

Ransomware Attack Examples

Below are a few examples of recent ransomware attacks targeting different industry organizations.

Maryland Department of Health

After falling victim to a ransomware attack in December 2021, the Maryland Department of Health experienced long-term disruptions resulting in prolonged system downtime and employees with limited digital resource access. Moreover, the Department's COVID-19 surveillance data and Medicaid benefits and healthcare licensing services were disrupted.


In February 2022, Nvidia announced that the company was investigating a ransomware incident that compromised its network for two days. The ransomware gang named Lapsus$ claimed responsibility for leaking Nvidia employee password hashes. Lapsus$ also threatened to leak an additional 1TB of stolen data. (source code and information referring to RTX GPUs)


Finalsite, a web design, hosting, and content management organization for schools, became a victim of a ransomware attack in January 2022. The attack affected 5,000 Finalsite customers, which resulted in inaccessible (offline) websites and unavailable system and registration forms in thousands of schools.

REvil ransomware attack on Kaseya

In July 2021, RMM service provider Kaseya was hit by a ransomware attack carried out by the REvil group. Attackers exploited a vulnerability within Kaseya VSA servers to inflict far-reaching implications on a vast array of businesses and public agencies.

For example, the Swedish grocery chain Coop had to keep almost all its 800 stores closed for a day since its cash register software vendor was out of service.

Understanding a Ransomware Attack: The Basics

Ransomware is a form of malware designed to encrypt files stored on a victim's device, systems, or network drives. Ransomware victims have all their critical data "locked" and cannot access files, applications, or databases. Then, cybercriminals make a ransom demand to give access back to the infected devices or network.

Ransomware is typically designed to spread across networks and target critical databases and file servers; it can quickly steal data and freeze an entire enterprise. It is an evolving, growing threat that generates immense profits for malicious actors while severely damaging companies of various sizes and government organizations.

How Ransomware Works

A ransomware attack relies on asymmetric encryption - a cryptography approach that leverages a pair of keys to encrypt or decrypt files. Typically, the public-private key pair is a unique sequence generated by the attackers, with the decryption key residing on their server only. The attacker then offers to present said key if the victim pays a ransom so they can decrypt all encrypted data.

However, some ransomware campaigns have left organizations without a decryption key even after they've made a ransom payment. Without it, it is nearly impossible to decrypt files and databases, leaving the victim's files locked for good.

There are many ransomware variants targeting organizations globally. Some cybercriminals aim to distribute malicious software via email spam campaigns, while others use targeted attacks to deliver ransomware. The malware needs a suitable attack vector to infiltrate vulnerable devices. After successful deployment, the ransomware infection persists until its purpose is accomplished.

Following a successful exploit, ransomware usually drops executable malicious software (binary) onto the infected systems. The binary then scours the network for valuable files and data to encrypt them. Such files include images, databases, Microsoft Word documents, app data, etc.

Ransomware can also exploit system or network vulnerabilities to spread to other (yet uninfected) systems and potentially cover an entire organization's network. Once ransomware encrypts files and critical data, it prompts victims for ransom payments within (typically) 24 to 48 hours to decrypt data; unless the ransom is paid, the data is lost for good. If you don't have a reliable backup or your backup data is also infected and encrypted, the only option is to pay the ransom and hope to recover your files.

Essential Security Measures Every MSP Should Implement

Ransomware protection is critical for both businesses and MSPs to safeguard critical assets. While ransomware attacks vary in deployment methods and target systems, companies can implement several fundamental anti-ransomware solutions to keep attackers at bay.

Endpoint protection

Endpoint protection (or "endpoint security") is crucial for growing (or already established) businesses. As your company grows, the number of active users on the corporate network will increase, thus creating more "endpoints" for attackers to infiltrate. (PCs, laptops, servers, smartphones, tablets, etc.)

Organizations must rely on dedicated endpoint detection and response (EDR) or endpoint protection platforms (EPPs) to allow system admins to monitor, manage, and secure each remote device in your environment.

While EPP can suit some businesses, EDR is more advanced and focuses on threat response and mitigation as soon as pesky malware attempts to infiltrate the network.

Typically, both EDR and EPP solutions include various protection tools, such as:

  • Data encryption
  • Antivirus and anti-malware
  • Intrusion detection
  • Threat hunting
  • Investigation alert triage
  • Data loss prevention (DLP)
  • Mobile, desktop, and web browser security
  • Firewall
  • Real-time security notifications and alerts
  • Network assessments

Patch Management Software

Cybercriminals often target known, unpatched vulnerabilities to exploit weak entry points and infiltrate target networks. Keeping all devices, software, and operating systems continuously updated is a sensible approach to reduce your company's attack surface and minimize the risk of an attack.

Patch automation software can streamline the patching process and update all devices, programs, and firmware as soon as a vendor issues a new patch. Moreover, a robust solution can ensure security and privacy regulatory compliance and improve system performance.

Data Backup

Critical data backup to an external hard drive or the cloud is an essential practice to counter a ransomware attack. Even if a malicious intruder takes control of your primary system, you can wipe your devices clean and restore all information from reliable backups. Companies can follow the 3-2-1 Rule of Backup to keep multiple backups on different storage media to ensure they always have at least one readily available data copy.

Ransomware Prevention and Detection

When battling ransomware, early detection is crucial but can prove challenging for many organizations. Nonetheless, going the extra mile to set it up can stop an attack before it spreads across your entire network and impacts critical services and applications. Below are several early detection techniques you can leverage to fortify your essential data.

  • Intrusion detection system (IDS) and malware detection solutions

IDS and malware detection tools can detect malicious attempts on your network, whether via predefined rules and known exploit signatures or automated anomaly detection.

  • Segmentation policies

Segmentation policies help companies define the expected "normal" communication flows between all corporate assets in their environment. A stellar segmentation policy can alert you of any unexpected behavior or activity on your network so your security teams can quickly investigate it and take action.

  • Enhanced visibility

Understanding your network traffic activity from end to end will provide insights into any potentially unauthorized movement as ransomware attempts to spread across your systems. Moreover, strong visibility will enable you to identify potential attack vectors regarding critical applications from all available IT assets and give you the time to mitigate a threat before it becomes a full-blown breach.

  • Deception tactics

Companies can also set up honeypots, lures, or distributed deception platforms to identify unauthorized lateral activity and discover an ongoing attack before it affects critical systems.

MSP Ransomware Protection: Advanced Techniques

In addition to essential anti-ransomware methodologies, organizations handling vast amounts of information can rely on advanced protection tactics to further protect their digital assets.

Zero-trust architecture

Zero-trust is a highly strategic approach to ransomware protection that secures a corporate network by eliminating implicit trust and aims to continuously validate every phase of all digital interactions within your environment.

The approach relies on the "never trust, always verify" principle. It is designed to protect hybrid environments by implementing strong authentication policies to ensure network segmentation, prevent malicious lateral movement, simplify "least access" policies, and provide top-tier threat prevention.

AI-based threat detection

AI can study and learn malicious patterns in data that humans can't. (or will take much more time to learn)

AI-based threat detection tools can scour extensive amounts of information in real time, spot anomalies and threats with the utmost accuracy, and identify malicious activity that traditional security solutions would otherwise miss.

Educating Your Clients

Ransomware is an evolving, growing threat and poses too big of a risk for your clients to ignore. From SMBs to global enterprises, your clients must be aware of the effect ransomware can have on their business and the best practices to minimize the risk. The more they know about ransomware attacks, the easier it will be to protect them efficiently.

Below, you, as a robust MSP, can explore the guidelines to discuss ransomware and the importance of protecting sensitive data with your customers.

  • You can leverage the news cycle to start the conversation.
  • Explore how ransomware works, emerging new variants, and the potential aftermath of a successful ransomware attack.
  • Emphasize the costs associated with a ransomware breach.
  • Proceed to educate your clients on the value of updates and proactive protection via whitepaper, presentations, emails, etc.
  • Encourage your clients to simulate potential attacks to educate all employees. (e.g., simulate a phishing attack to teach employees the risk of interacting with a malicious link or attachment)

Backup Encryption

Just as cybercriminals use encryption to lock companies out of their files, organizations can leverage encryption to secure their backups. If an attacker doesn't have the decryption key, they won't be able to access the encrypted data. And while you can rarely remove ransomware without affecting your network performance and operational information, you can rely on encrypted backup data to safely resume business operations onto a new, unaffected system.

MSPs must provide their clients with a reliable option that encrypts files in transit and at rest and blocks access to different ransomware variants. Backup encryption can improve security, but it also helps with privacy, data integrity, authentication, and regulatory compliance.

Response Plan: Steps for Responding to a Ransomware Infection

Preventing an active ransomware infection can be challenging unless you have a robust disaster response plan and follow strict recovery guidelines. Below, you can explore an outline of essential actions to counter pesky malware from taking over your network.

  • Isolate all infected systems to stop the ransomware from spreading.
  • Report the attack to the relevant authorities (e.g., local police, the Justice Department) to help them identify the culprits.
  • Pinpoint where the infection originated and shut down the corresponding user account, server, or system.
  • Ensure your backup data is secured and out of the perpetrator's reach so you can restore it safely later.
  • Disable all tasks that could interfere with your security team's investigation into the attack. (e.g., temporary file deletion, update installation)
  • Backup all infected systems before you reformat their drives so you can use the data to determine the cause of the incident.
  • Identify the ransomware process via advanced hunting methodologies.
  • Verify all relevant backups and add all known attacker communication channels as indicators in your proxy server and on endpoints to block them via firewalls.
  • Reset the passcodes on any known compromised user accounts to require a new sign-in and isolate all known attacker control server points from the internet.
  • Remove the ransomware from the affected devices. Don't forget to scan all suspected computers and other machines liable to infection. (e.g., devices that sync data)
  • Restore your operating system and data on fresh or cleaned devices to resume business processes.

How Long Does It Take to Recover From Ransomware?

The downtime following a ransomware attack depends on several variables.

  • Data backup quality and availability
  • IT environment complexity
  • Infected (impacted) system size
  • IT specialist personnel availability
  • Initial attack response quality and efficiency
  • The specific ransomware variant
  • The volume of data encrypted by the malware
  • The effectiveness of the decryption key (either obtained by obliging to the ransom note or via third-party decryption tools) or the efficiency of the reformat process and the following data recovery process

Extensive downtime can significantly impact your organization's day-to-day operations, revenue, and brand image. Depending on your business type and industry, prolonged downtime can result in missed opportunities, lower customer satisfaction, and hindered business processes. Longer recovery timeframes may also lead to increased labor hour costs, IT infrastructure damage, and reduced employee productivity.

Ransomware Protection and Recovery Best Practices

No company wants to fall victim to a ransomware attack. However, many businesses neglect their ransomware prevention strategy, which can severely impact their business continuity plan. To prevent unauthorized access to your systems and keep all critical data protected, it's best to employ sensible ransomware protection practices and tools.

  • Dedicated cybersecurity solutions (SIEM, XDR, etc.) can quickly detect and negate incoming malware attacks.
  • Strong authentication and access authorization protocols to maintain a Zero-Trust architecture.
  • Access controls and network segmentation to segregate digital assets and servers and contain potential infections.
  • Automate system and software updates to reduce exploitable vulnerabilities, both on-premises and off-site.
  • Email filtering, enhanced web security, and safe download practices to counter phishing and social engineering campaigns.
  • Continuous cybersecurity awareness training to ensure that any employee will double-check before interacting with a malicious attachment or link or storing their credentials unprotected.
  • Regular, reliable data backups combined with encryption, data verification, immutability, and access control protocols.


Ransomware is a growing threat to organizations of various sizes globally. MSPs must provide all required cybersecurity and protection means to ensure their clients' data is secured and readily available.

To procure an all-encompassing security solution for customers, MSPs should offer secure web and email gateways (SWG and SEG), network segmentation, endpoint detection and response (EDR and XDR), network discovery and response (NDR), DNS security solutions, endpoint firewalls, data backup encryption, swift disaster response and recovery tools, and more.

With Acronis Cyber Protect Cloud, MSPs can modernize their clients' data security and backup, reduce downtime, and minimize data loss via integrated cyber protection powered by AI-based anti-malware, antivirus, and endpoint protection management, all available and easy to pilot in a single solution.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.