August 29, 2023  —  Acronis

Ransomware prevention for MSPs: Tips and best practices

Acronis Cyber Protect Cloud
for Service Providers

From social engineering, phishing and business email compromise (BEC) attacks, today’s cybercriminals continuously invent new ways to circumvent layers in your clients’ security stack. The modern managed service provider (MSP) faces mounting pressure to protect their IT environment and clients against ransomware intrusions. Once ransomware is introduced, your sensitive data and business continuity are at risk. Ensuring you are equipped to block and proactively prevent future ransomware attacks is pivotal to growth and success.

Simply put, recovering from ransomware and other malware incidents is costly. The average cost of a data breach in 2023 is expected to reach $5 million per incident and ransomware remains the number one threat this year.

Staying ahead of emerging cybercrime involves proactive measures, like data encryption, and other steps to keep sensitive data safe. This blog covers everything you need to know on how to prevent ransomware, the latest types targeting MSPs and tips for recovery.

Why do cybercriminals target MSPs with ransomware attacks?

A single MSP can be a gateway to hundreds of clients and small businesses who trust their service provider to protect their valuable data. This makes MSPs the perfect target for cybercriminals who sleuth the digital landscape, seeking valuable business assets.

Here are the three reasons why cybercriminals target MSPs:

Direct access to multiple clients

Like a launchpad, adversaries use MSPs with access to their clients’ accounts and infrastructure to accelerate the spread of malicious threats, like ransomware. MSPs are a direct pipeline to small businesses and the data-rich trove of confidential information that cyber attackers seek most, making them an attractive target.

These businesses are susceptible to distributed attacks, where multiple victims get hit with ransomware simultaneously. In distributed attacks, ease of ransomware distribution, like lateral movement, appeals to cybercriminals focused on exfiltrating or encrypting sensitive data with as few resources as needed. When the clients of an MSP all experience an attack at the same moment, chaos ensues on admins at the MSP level.

Ambiguous customer security posture

Threat actors are looking for entry points in your clients’ security posture and MSPs may not have complete oversight of all their clients’ security practices. At times, cyber protection responsibilities, such as security training and creating policies, are divided up among your client’s internal team, third-party vendors and the service provider. Security findings can easily get lost in the handoff of critical information among parties, resulting in inconsistencies between the MSP and their clients’ activities. These discrepancies open up opportunities for cybercriminals to exploit security gaps.

Growing number of endpoints: Keeping up with visibility

Many small businesses entrust their endpoint security needs to their MSP. They are the perfect target for intrusions because MSP admins often juggle a growing number of devices and accounts at a given time. Faced with multiple challenges, MSPs need to keep up with attack surface visibility, identify software vulnerabilities and stay updated with patching.

When security-mature MSPs effectively configure endpoint detection tools, like EDR, they are significantly more equipped to defend against sophisticated threats, such as advanced persistent threats (APTs) that could try to exploit their clients. APTs, like MuddyWater, abused a popular remote access tool used by MSPs to compromise several organizations worldwide.


Ransomware types to be wary of

Ransomware infections continue to make the headlines impacting organizations of all industries. In ransomware breaches, threat actors attempt to steal or restrict access (or your clients’ access) to valuable company data in exchange for a demand payment or ransom.

Here are the key types of ransomware attacks on MSPs that you should be concerned about:

Crypto-ransomware (Crypto-malware)

Crypto-ransomware, also known as crypto-malware, is a basic type of malware that targets individuals and businesses by encrypting data on the victim's device and then demanding payment in exchange for its decryption.

Cybercriminals typically use creative ways to introduce ransomware infections into your network and your clients’ attack surfaces, including delivering crypto-ransomware via email in a malicious link, through account hacking, or exploiting software vulnerabilities.

Crypto-ransomware can also be accompanied by a ransomware-as-a-service (RaaS) attack.

Ransomware-as-a-Service (RaaS) model

Ransomware-as-a-services or RaaS, is a new business model used by malware developers to sell tools or malware to potential or actual attackers who want to use their capabilities to exploit MSPs. RaaS attackers don't require advanced development or coding expertise and it takes fewer resources to carry out attacks. Unlike traditional malware intrusions, RaaS criminals don’t need to create malware from scratch — allowing bad actors to conduct breaches quickly and affordably. RaaS makes the barrier to entry low, allowing non-tech savvy individuals to become hackers.

REvil ransomware

In 2021, REvil ransomware struck Kaseya VSA’s IT management software, impacting dozens of MSPs and their clients’ networks worldwide. REvil exploited a vulnerability in VSA servers that attackers used to run ransomware downstream to thousands of MSP clients. The attackers gained access to the Kaseya VSA application, blocking administrator access and distributing a malicious update called “Kaseya VSA hotfix,” which spread ransomware to clients.

Since the REvil ransomware incident on Kaseya VSA, many MSPs and businesses alike have stepped up their cybersecurity infrastructure, including reexamining their detection tools and making the switch to advanced behavior-based detection solutions, like Acronis Cyber Protect Cloud, which catches “living off the land” adversarial techniques used in the REvil attack.

Ransomware introduced by MFA-fatigue attacks

MFA-fatigue attacks (a.k.a. MFA overloading) are a growing concern for MSPs and small businesses. Using social engineering, the attacker bombards the victim with multifactor authentication requests. If an authorized individual inadvertently accepts, their identity is confirmed and the attacker can access the account or device. The intended victim is often distracted or overwhelmed with push notifications and misinterprets them as valid login attempts. MFA-overload hackers aim to manipulate their victims, exploiting human error to compromise sensitive credentials and introduce ransomware.

Ransomware by phishing

Phishing is still the number one method threat actors use to deliver ransomware infections. Basic phishing attacks usually include an email hyperlink to a malicious site, but the problem has evolved into more sophisticated strategies. Phishing emails can even be disguised to look like emails from a legitimate sender. Phishing hackers are adopting social engineering techniques to tempt email recipients into executing an action, triggering a string of malicious events and quickly plaguing organizations with ransomware.

In phishing schemes, adversaries count on human error as the weakest point in your MSP’s security architecture. Keeping email security training principals top of mind is the most effective strategy to prevent your MSP team and clients from falling victim to phishing attacks.

AI-powered ransomware

The adoption of Artificial Intelligence (AI) technology is trending across industries worldwide. According to the State of AI in 2022 Report by Mckinsey & Company, AI adoption has more than doubled since 2017. Businesses are not only adopting AI tools, but are also increasingly investing in AI to serve multiple functions and solve challenges spanning their organization.

AI is here to stay, but it’s a double-edged sword. It offers powerful capabilities to help businesses improve efficiency, productivity and save time. But you might be surprised to learn that threat actors use AI to achieve the same thing.

AI-powered ransomware is a growing concern for service providers and small businesses. Typical ransomware infections are targeted attacks tailored to exploit a small group of individuals. Artificial intelligence (AI) and machine learning (ML) could allow cybercriminals to automate and scale ransomware intrusions to amplify attacks onto a broader group of victims.

Continue reading: Acronis cyber-threats report year-end 2022: Data under attack

What are the best tips for preventing ransomware?

As ransomware groups constantly evolve techniques to thwart network security layers, your ransomware prevention best practices must stay ahead of them. Maintaining visibility and minimizing the attack surface is a continuous challenge for every MSP and small business, and following a trusted framework supported by the cyber protection community is essential to keeping up with modern ransomware.

Acronis recommends these industry-leading tips for ransomware prevention and protection, below:

Enhancing endpoint security with next-gen tools

Managing all your clients’ endpoints and gaining critical visibility is a challenge. This is where endpoint security and management solutions reign supreme against crypto-ransomware, zero-day, and other types of cyberthreats on MSPs. Endpoint protection solutions, such as Endpoint Detection and Response (EDR), improve visibility over customer endpoints, mitigating the risk of ransomware across attack surfaces and including anti-malware and anti-ransomware protection.

Better visibility helps integrate alert data from siloed tools in one place, letting admins know when clients get hit, and enabling them to react faster when there’s a distributed attack. Hardening endpoints with threat detection and response tools will improve overall security posture, catch suspicious activity sooner, and provide rich, contextual alerts to security experts. These enriched alerts generated by EDR help start incident response activities sooner, saving businesses valuable time and resources.

Implementing secure backups

Data backup solutions safeguard MSP customer data. All adversaries share a common objective: steal, destroy or exfiltrate sensitive data. In the event of a breach, data loss is a frustrating challenge that threatens business continuity. Backup gets your customer up and running faster, and you can be confident that critical information is available to authorized individuals following a security event. Data protection, backup and recovery enhance visibility across all critical data on customer workloads.

Stepping up email security

Cybercriminals frequently use email to broadcast spam, malware and phishing scams. They send misleading messages to trick recipients into opening attachments or websites that download ransomware into the victim's device. The ultimate objective is for email receivers to provide attackers with a means of sharing confidential data, business intelligence and intellectual property.

Email security provides proactive prevention and protection from phishing attacks, spoofing, advanced persistent threats (APTs) and ransomware delivered by email. A common technique used by MSPs includes email encryption, which usually calls for authentication and, in essence, masks email content. To protect any potentially sensitive information from being viewed by anyone other than the intended recipients, email encryption accomplishes this.

The FBI received 21,832 BEC reports in 2022, with a damage estimate of over $2.7 billion. Strengthening business email compromise (BEC) prevention and protection is a growing concern for small businesses, given this statistic. Email security solutions detect hidden, malicious email content, such as file attachments and hyperlinks — blocking them before the end user can open the executables.

Using URL filtering

We can’t control where users surf the web or what links they click on. As MSPs, protecting your clients and employees from visiting nefarious websites is a growing concern. URL filtering tools stop users from visiting dangerous web pages by blocking or allowing specific URLs. By creating URL filtering policies, IT technicians can block users from visiting harmful websites and avoid malware altogether.

Improving Data Loss Prevention (DLP)

Data loss prevention solutions help prevent data leakage on customer endpoints and networks through security measures that monitor, detect and control the transmission of confidential information. By analyzing the content and context of data transfers and enforcing policy-based preventive controls, DLP products help better visualize the data flows spanning network, endpoint and cloud environments.

Business data can be categorized into three principal states: data in use, data in motion and data at rest. Depending on use, data is continuously shifting between these states within ongoing workflows. We can use these states to help clients understand their risk of data loss, handle organizational data more securely, and prevent data leakage. DLP technologies are designed to address data in these states and work with DLP best practices to help businesses meet regulatory compliance and safeguard company crown jewels.

Restricting remote access

Remote access restriction is a security method within account control that lets security admins allow or block remote access permission to organization networks, including local-area networks (LANs), wide-area networks (WANs) and virtual private networks (VPNs).

Vulnerabilities associated with remote access are often introduced due to insecure networks. Restricting remote access with carefully configured access control policies mitigates the risk of ransomware and other intrusions across your clients’ attack surfaces by only allowing authorized connections.

Applying software patches and staying up to date

For MSPs, managing software vulnerabilities on your clients’ accounts is challenging with limited resources and security IT talent. Identifying vulnerabilities and patching weaknesses should be a priority, because hackers exploit these holes in your security infrastructure when vulnerabilities go unnoticed. Patch management, vulnerability assessment and vulnerability management work hand in hand to identify software weaknesses, prioritize the severity of vulnerabilities and apply necessary patches to fix them before attackers exploit them.

Software patching is essential for maintaining the stability and security of clients’ systems. It’s a continuous and ongoing process that relies on automated tools to detect, schedule, prioritize, test, deploy, monitor, track and report patches. Staying ahead of software patching has key benefits for MSPs, including supporting efforts toward protecting data, reducing downtime and bettering efficiency.

Adopting zero trust

MSPs are increasingly adopting zero trust architecture — a framework used to approach security that centers on the idea that employees should have the bare minimum level of security and identity clearances necessary to do their jobs — and no more. The National Institute of Standards and Technology (NIST) encourages the adoption of zero trust principles to protect critical business assets.

Simply put, zero trust is not a framework implemented to make the work of clients and their employees more difficult or imply that end users are not trustworthy, but it’s a practice of “trust nothing, always verify” which prevents lateral movement tactics threat actors use to sleuth through compromised systems within network environments.

Educating users

Sharing tips and advice on how users can recognize, identify, and avoid potential ransomware attacks effectively mitigates your risk. Simply saying “don’t click dangerous links” to your clients and employees isn’t enough to protect end users and business networks from sophisticated cyber schemes.

From famous CEOs sending gift cards to employees to opening file attachments from unknown senders, MSPs and their clients are continuously strategizing security awareness training, including email security exercises, anti-phishing practices, email tests and raising awareness of common social engineering scams, to stay on top of advanced threats. Using a framework, like the one provided by, helps organizations cover all their bases when designing and running cybersecurity awareness training programs.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.