One of the most common cyberthreats that businesses face is ransomware. With many businesses employing managed service providers for their IT, how do they ensure their customers are as protected as possible from ransomware attacks?
Cyberthreats are now an accepted part of everyday life for businesses and ransomware is one of the most common forms of attack used, which means MSPs must be alert to the ever-changing threat they pose.
As Phil Skelton, senior director, international sales at eSentire, notes, in UK Government research, the number of companies affected by ransomware doubled to 19,000 during 2025. “The market around ransomware has expanded too, with threat actors carrying out more specialist roles and creating an economy around access,” he adds. “There are those that get paid for initial access, those that create Phishing-as-a-Service and Ransomware-as-a-Service kits, and those that try to monetise the access with ransomware, conducting the negotiations and trying to get payment.
“For customers, the impact is that ransomware has become more professional and targeted. In our research, the top industries targeted included business services, construction and finance, where companies have high-value data, operational sensitivity to downtime, and frequent large financial transactions, making them attractive targets.”
Dominic Ryles of Hammer Distribution adds that ransomware attacks are now a routine reality for businesses of all sizes. “In the UK alone, a significant proportion of organisations report attempted or successful attacks each year, and the trajectory is still upward,” he says.
Keeping customers safe
There are various strategies MSPs can employ to ensure that customers are kept safe from ransomware attacks. “Ransomware is not a sophisticated problem,” says Dinesh Hirani, head of information security at Redsquid. “The entry points are the same ones we’ve been talking about for a decade: phishing, weak credentials, unpatched remote access, poor configuration. The attackers are not getting cleverer. The gaps are just still there.
“That should worry any MSP, because it shows the standard tool-first playbook is not enough. Too many providers sell EDR, MFA and backup and assume the customer is covered. In reality, layered defence requires strong identity protection, least-privilege access, phishing-resistant MFA device trust, secure configuration, vulnerability management, network segmentation, continuous monitoring and resilient backups. A tool without someone watching it at 2am is just a log nobody reads. CISA and NCSC-UK continue to warn that the most exploited weaknesses are not exotic; they are exposed RDP, default credentials and unpatched internet-facing systems. If a managed service does not close those gaps operationally, the tools are furniture.”
Dinesh says this is where ransomware readiness assessments earn their keep. “Not a tick-box audit, but a real test: is privileged access actually controlled, or does everyone quietly have domain admin? Are backups recoverable under pressure, or just ‘running’? Can the team make a containment decision in minutes, or does that require a call tree and three levels of approval? These are the questions that determine whether an attack becomes an incident or a catastrophe.
“But readiness assessments only matter if the response architecture can act fast enough. Modern ransomware encrypts in minutes. No human analyst, however skilled, can triage an alert, confirm the threat and make a containment call before the damage is done. That is why automated response is non-negotiable: EDR that kills a malicious process on the endpoint the moment it detonates, or NDR that drops hostile traffic on the wire before it spreads laterally. That machine-speed response buys you the time a human needs. A managed SOC then picks up where automation stops, investigating the blast radius, identifying persistence, determining whether you are dealing with an isolated incident or a broader campaign. Automation handles the first seconds. Analysts handle the next hours. Get that layering wrong and you are rebuilding an entire estate instead of reimaging one endpoint.”
Phil adds that customers need help around how to harden their systems and prevent attacks against their hardware, software and IT assets. “Continuous Threat Exposure Management (CTEM) can provide that insight and keep customers up to date with potential gaps in their security,” he says. “Selling CTEM should be about providing that proactive approach to preventing attacks, letting customers get on and run their businesses successfully.”
But Phil warns that CTEM on its own is not enough. “For smaller companies, running their own security operations can be cost-prohibitive, so they may want to outsource that to a service provider,” he explains.
“MSPs can either build their own SOC to offer these processes, or partner with a SOC provider to deliver that level of coverage. This is particularly important when you consider how fast threat actors move today: our Threat Research Unit’s analysis of the Tycoon2FA threat actor revealed an average of just 14 minutes between user credentials being captured and active exploitation on that company’s network. Many firms can’t run their own SOC, but they need that fast response in case something does go wrong. Putting it into business terms can help in that decision process.”
Stemming the breach
If ransomware does breach defences, there are ways MSPs can minimise the effect of an attack. “Impact is determined by spread,” says Charlotte Pickering, EMEA channel director at Zero Networks. “If an attacker can only access a small number of systems, recovery is fast and disruption is limited. If they can move freely, you’re looking at outages, missed SLAs and potentially existential business impact.
“MSPs should focus on reducing the blast radius in advance. That means segmenting critical systems, isolating high-value assets and ensuring that access paths are tightly controlled. When containment is built into the environment, response becomes faster and far less dependent on human intervention during a crisis.”
Richard Francis, SE director EMEA at CTERA, says that when an attack bypasses preventative measures, the speed of recovery determines the outcome. “Waiting days to restore from traditional cloud or tape backups can be a death sentence for a modern business,” he says. “This is where the conversation must pivot to recovery time objectives. With an immutable snapshotting system, the recovery process is transformed. Instead of a painstaking, multi-day restoration project, an MSP can roll back an entire file system to its pre-attack state in a matter of minutes.”
Security discussions
When discussing ransomware with customers, MSPs and resellers should take various things into consideration. Charlotte says resellers should reframe the conversation. “Most customers are still being sold detection and response, but those approaches assume everything works perfectly under pressure,” she says. “In real world scenarios, security is a chain of steps and attackers only need one gap.
“The more important question to ask customers is: if something gets in, can it move? That shifts the discussion toward resilience, uptime and business impact. It’s a much more concrete conversation that aligns directly with executive priorities.”
Dominic says the conversation needs to move beyond technology into business risk. “Customers don’t buy EDR or backup, they buy continuity, resilience and peace of mind,” he says. “Framing ransomware in terms of downtime, lost revenue, regulatory exposure and customer trust makes the conversation more tangible and urgent. It’s also important to position security as an on-going service, not a one-off project.”
Danny Hemminga, VP EMEA partner sales at Tanium, says resellers should challenge how customers think about security. “Many organisations have ended up with fragmented security stacks over time – often the result of layering new tools on top of existing ones as threats evolve,” he says. “The problem is that these disconnected solutions create blind spots and slow down response, industry research shows 78% of organisations are dealing with fragmented security stacks.
“In conversations, that means shifting the focus to exposure. Where are the real risks across the environment? How quickly can they be identified and fixed? And how much visibility and control do you have across every endpoint?
“Resellers should also ask how quickly customers can respond when something goes wrong. If it takes hours or days to act, that’s where ransomware gains ground.
“Customers don’t need more dashboards – they need the ability to act and become unstoppable. The role of the reseller is to help simplify that complexity and ensure risk is being actively reduced, not just monitored.”
Future
Dominic says ransomware will continue to evolve rapidly. “AI is accelerating the scale and precision of attacks, from highly convincing phishing campaigns to faster vulnerability exploitation,” he says. “We’re also seeing increased focus on supply chains and MSPs themselves as entry points. MSPs need to stay vigilant, continuously adapt their security stack, and ensure they are not just protecting their customers, but also themselves.”
Danny agrees that AI is having more of an influence. “Attacks are becoming increasingly automated,” he says. “AI and tooling are allowing attackers to move faster, scale campaigns, and adapt in real time, which compresses the window MSPs have to respond.”
He adds that there will be more focus on identity and access going forward. “Rather than breaking in, attackers are logging in – targeting credentials, remote management tools and MSP environments to gain broad access quickly,” he says.
“Extortion tactics will continue to escalate. Double extortion is now standard, but we’re seeing more aggressive approaches – data leaks, regulatory pressure and targeting reputational damage to force payment.
“For MSPs, that means staying alert to where attackers are shifting – identity, access and speed. If you don’t have real-time visibility and control across your customers’ environments, those attacks become much harder to detect and contain.”
