When it comes to ransomware protection, Managed Service Providers (MSPs) are in a unique position. On the one hand, they are often the main line of defense for their customers against ransomware. At the same time, they themselves may be a target of ransomware. Not only that, but very often the threat actors attack MSPs just as a means to gain administrator access to their clients. That’s the lesson that some of them learned the hard way during the Kaseya attack earlier this year, when a popular MSP software platform was compromised by threat actors, allowing them untethered access to their clients’ privileged information.

Indeed, this is likely the reason why it would seem that attackers are increasingly targeting MSPs in particular, and it’s time for them to get as serious as they can about ransomware protection.

Why threat actors love to target MSPs

It’s not hard to guess why MSPs have become a sought after target for attackers. MSPs offer cyber security protection to their customers. In order to do this, they need to be given full access to, the mission-critical infrastructure, applications and networks of multiple businesses. By breaching a single MSP, threat actors breach multiple IT estates. For threat actors, this is a much more efficient strategy than attempting to breach multiple businesses individually.


The fact that companies have become more reliant on MSPs in the wake of the Covid pandemic makes them an even richer target. As many businesses have pivoted toward distributed workforces, MSPs have come to play a central role in supporting these businesses’ remote workers, making these types of attacks all the more devastating.


Ransomware protection for MSPs

Faced with these challenges, MSPs need to take action, as they now need to not only defend themselves, but also risk exposing their customers. This means they need to establish security postures that are as strong as possible to protect against ransomware for both themselves and their clients.

The following are just a few measures that should be taken in order to improve the security posture.


Audit MSP tools

MSPs should be continuously aware of security vulnerabilities or risks within the tools they use.

It may be difficult to miss news about incidents like the Kaseya attack, which was widely publicized. But more obscure IT tools (like remote management software or monitoring tools) may not always make headlines. And, in some cases, MSPs may not even be sure which tools they use in their business, because different technicians may rely on different software.

A continuous inventory should be kept of all of the tools used by employees along with how secure they are known to be.


Disable inactive user accounts

The typical MSP business sees clients come and go over time. Even within long-term clients, individual users will leave.

When this happens, all associated user accounts should be disabled immediately. User accounts that remain active but are not only unnecessary, but are a wide-open door for threat actors.


Restrict network access

Network access policies based on zero trust and least privilege may make networks a bit less convenient to administer, but they’re critical for mitigating security risks.

MSPs should ensure that access to all network resources across all of the businesses they manage is restricted to the least necessary. They should also enforce rules that prevent new endpoints from joining the network until they are validated and determined to be secure.


Implement air-gapped backups

Backups — which MSPs often manage for their clients — are a critical resource for ransomware protection. But they are not very useful if they are stored alongside production systems, in which case attackers may be able to compromise the backups along with the main network.

This risk can be mitigated by “air-gapping” backup data. Air-gapping means storing data in an offline location, where security risks are significantly lower because the data cannot be accessed via the Internet. If this is not possible, the data should at the very least be stored in a separate site from their customers’ production infrastructure.


Implement an evasive ransomware prevention solution

It may be easy enough for MSPs to detect ransomware attacks that don’t try particularly hard to hide. Network management software can alert teams to port-scanning by unknown hosts, for example, or to repeated failed login requests that could reflect efforts to brute-force passwords.

But smart threat actors use more evasive techniques. To detect their attacks, MSPs should deploy anti-ransomware solutions like Minerva Labs, which was built specifically to stop attacks by breaking the decision-based logic upon which evasive ransomware relies. With this functionality on their side, ransomware can be stopped before it compromises sensitive data.



MSPs have become a popular target for ransomware. They’ve also assumed a more important role than ever in stopping ransomware attacks, given the increased reliance of many businesses on MSPs in the Covid era.

For both of these reasons, MSPs need to be extra-wary today of ransomware, and ensure that they implement all of the tools and practices at their disposal to prevent ransomware attacks before they happen.