Chris Swagler | January 10th, 2022

Ransomware for MSP

Ransomware is costing businesses, not just in extortion payments, but especially in downtime. The cost of downtime, according to industry research, is usually 23 times greater than the requested ransom. Ransomware attacks are affecting the operations of large companies and major cities, and cybercriminals aren’t just attacking end-users, they’re targeting MSPs. Recently, numerous MSPs reported being victims of targeted ransomware attacks. Threat actors are exploiting vulnerabilities in systems used by MSPs with the intention of installing ransomware on their networks and devices. With threat actors targeting MSPs, companies wonder how these criminals are doing it and what can be done to prevent ransomware attacks.

The threat operators’ goal is to get more ransomware on more devices, thus increasing the likelihood that victims will pay the ransom. MSPs have access to numerous networks and devices and are often the gateway to many targets rather than the target itself. Threat operators can remotely install ransomware on numerous networks and devices if they can gain access to an MSP’s systems. Companies feel that they have no choice but to pay the ransom since ransomware can be challenging to remove once installed. Cybercriminals average $12,762 per ransom, which grows exponentially with additional victims.

Cybercriminals are attacking products and services used by MSPs, which typically come from remote monitoring and management (RMM) tools or cybersecurity consoles. Threat operators can gain access through either brute force or software vulnerabilities on unpatched servers and obtain multiple privileged credentials. The threat operators will use the credentials to access RMM tools to remotely install ransomware, including the notorious Sodinokibi ransomware virus.

As cyberattacks become more sophisticated all the time, there’s no one thing to prevent them. MSPs will need to utilize numerous tactics to prevent infections.


With MSPs becoming a more frequent ransomware target, it’s critical for companies and their clients to stay ahead of the current threat landscape and implement various security measures to prevent potential ransomware attacks. At SpearTip, we specialize in assisting MSPs in protecting themselves and their clients against costly ransomware attacks. Our ShadowSpear Platform provides scalability and protection for companies and their clients from a potential full-scale ransomware attack. ShadowSpear offers total visibility across your customer base and one place to gain insight into the security posture of all monitored environments. Backed by our global network of Security Operations Centers (SOCs) staffed by industry-leading engineers, ShadowSpear constantly monitors partner network environments and actively responds and remediates any attack 24/7/365.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.