This Lunar New Year marks the Year of the Horse, a symbol of speed, endurance and clear direction. These traits carry relevance in today’s cybersecurity landscape. For MSPs, these characteristics aren’t just symbolic, but they’re essential to navigating rapidly changing cyberthreats.
As we celebrate Lunar New Year, it’s also a moment to reflect on our own origins. Acronis was founded in Singapore, where Lunar New Year is a festive season and cultural celebration of a new lunisolar calendar year. Honoring the Year of the Horse, this blog explores the cybersecurity challenges MSPs must be prepared for in 2026.
The latest Acronis Cyberthreats Report H2 2025 shows how quickly the threat landscape is evolving and how aggressively adversaries are targeting MSP ecosystems. Based on telemetry from more than one million protected endpoints, the report highlights an environment where attackers are moving faster, exploiting trust more effectively, and targeting MSP access with unprecedented precision.
1. Phishing: The fastest‑moving threat vector
If there’s one threat that’s consistently outpacing defenses, it’s phishing. It’s no longer the nuisance it used to be. Today’s phishing techniques are AI‑sharpened, context‑aware and often delivered where users feel safest: Within their day‑to‑day conversations across collaboration spaces.
The Acronis Cyberthreats Report shows that in H2 2025, phishing drove 52% as the top vector, targeting MSPs in numerous attacks, making it the clear leader among breach pathways. Advanced attacks accounted for 31% of collaboration platform threats, more than thirty times the proportion observed in email. Malware accounted for 54%, while phishing represented only 15%. The surge is a sign that criminals are following MSP and business workstreams and targeting shared messaging channels such as Microsoft Teams, WhatsApp and Signal.
This shift reflects two trends:
- AI‑generated phishing content has increased the volume and believability of attacks.
- Threat actors have expanded beyond email.
In several documented incidents, impersonation techniques harvested MSP admin credentials, unlocking RMM consoles, and cascading access into multiple client tenants.
2. Ransomware: A persistent, escalating adversary
Ransomware isn’t just rampant, but it’s maturing. The data shows a nearly 50% year‑over‑year increase driven by ransomware gangs Qilin, Sinobi and Akira when comparing the same period in 2023 to 2024 in the first half of 2025. Acronis detected nearly 100 active RaaS providers, with 34 new groups observed in H2 2025 alone . That’s the visible tip of the iceberg; beneath it, ransomware groups are quieter, more strategic and increasingly focused on data theft and extortion rather than typical noisy encryption tactics.
Key ransomware groups continue to leverage:
- Mass exploitation of vulnerabilities.
- Credential theft.
- Phishing‑assisted intrusions.
- Abuse of remote monitoring and management platforms.
Notably, many actors are transitioning to stealth‑first playbooks: initial infostealers, quiet lateral movement, selective encryption and extortion anchored in exfiltrated data. This evolution puts a premium on early detection, identity controls and recovery you can trust.
3. RMM tools: High‑trust solutions increasingly under siege
Your RMM is the nerve center of service delivery, which makes it invaluable to adversaries. In 2025, the report identified 3,000 critical vulnerabilities with some present in RMM solutions used or targeted as attack vectors, and we saw concrete evidence of vulnerability‑driven compromises and affiliate abuse.
Popular RMM tools, including N-able, AnyDesk and TeamViewer RMMs were targets of cybercrime in the last half of 2025. When attackers capture the keys to your RMM, they can pivot across tenants at machine speed.
Notably, the Acronis Cyberthreats Report highlighted that:
- N-able N-central exhibited eexploited vulnerabilities the summer of 2025.
- RMM tools such as ScreenConnect, AnyDesk, TeamViewer and Splashtop were targets of DragonForce attacks (via ScatteredSpider enablement).
- Because RMM platforms inherently hold high privilege and broad visibility, compromise translates into multitenant impact and increased business risk.
Entering the year of the horse with agility and confidence
MSPs should prioritize automation across their security and IT operations. Automating tasks like patch management, RMM hardening, backup validation and phishing detection frees technicians to focus on what matters most: hunting, blocking and eradicating advanced attacks and the very tactics highlighted in the Acronis Cyberthreats report’s findings.
To stay ahead in 2026, MSPs should streamline routine workflows, enforce zero‑trust principles, and strengthen controls around high‑risk vectors such as phishing, collaboration apps and vulnerable RMM tools — all of which saw significant rises in exploitation.
For a deeper understanding of the trends shaping the threat landscape, including AI‑driven phishing and the surge of attacks in collaboration app and RMM environments, explore the Acronis Cyberthreats Report H2 2025 to stay up to date.
About Acronis
A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 21,000 service providers to protect over 750,000 businesses.
