COMMENTARY: Ransomware isn’t slowing down. For MSSPs and MSPs, the message is simple: recovery now matters as much as prevention. Attacks are hitting everything from endpoints to virtual machines and cloud apps, leaving no room for weak links. Backup and recovery aren’t just safety nets anymore; they’re business enablers that prove resilience under pressure. The MSPs that test, automate, and harden recovery will be the ones clients trust when everything else fails.
Ransomware remains an epidemic in 2025. Cybersecurity Ventures estimates a 30% year-over-year increase in global ransomware damages over the next decade, projecting the cost to exceed $265 billion annually by 2031.Ransomware now makes up about 28% of all malware cases, amounting to hundreds of millions of attacks each year worldwide. In the U.S., most organizations suffer multiple disruptions annually, so it’s not a question of if but when a breach will happen.For MSPs, the takeaway is simple: prevention isn’t enough. Companies must plan for inevitable compromise and focus on fast, reliable recovery.
The fallout? A staggering $100 million hit to Q3 revenue.Likewise, in healthcare, an attack on Kettering Health in Ohio crippled IT. It immediately forced the cancellation of elective surgeries and the diversion of ER patients, highlighting the human impact of such activity. In parallel, Interlock claims to have stolen 941 gigabytes of highly sensitive data (patient records, financials, etc.).These incidents underscore that attackers deliberately target organizations with zero tolerance for downtime. Groups like Interlock now treat extortion as a marketing ploy, stealing vast troves of data to amplify fear and pressure victims. For healthcare IT and MSPs serving such clients, the key takeaway is that operations must continue even if the network is offline. Sensitive data must never be lost.Beyond these, MSPs should also enforce strong preventive controls (MFA, segmentation, patching, user training) to reduce the odds of infection in the first place, leaning on the adage that prevention is better than cure.However, even the best defenses are not foolproof. What separates resilient clients is that when “the worst” happens, they bounce back immediately. Several MSPs have already seen this: by relying on robust backups and recovery automation, some victims have restored critical systems within hours and never paid a dime in ransom.In summary, 2025’s ransomware threat demands that MSPs champion cyber resilience as much as cyber hygiene, and arguably as much as any strategic endeavor. By integrating advanced threat prevention with comprehensive backup and recovery solutions, an MSP can assure its clients that if an attacker strikes, the business will recover without catastrophic loss.As one channel mantra goes, “you can’t take back data with a check”—the best protection is having your data safely backed up and ready to restore. MSPs who make recovery their core strategy will protect their customers’ bottom lines and reputations when it really counts.Ransomware remains an epidemic in 2025. By one estimate, Microsoft logs roughly 600 million cyberattacks each day. About 28% of those malware incidents are now ransomware, translating to hundreds of millions of hits worldwide per year. In practice, most U.S. organizations face multiple disruptive attacks annually, so breaches should be viewed as “when,” not “if.”The lesson for MSPs is clear: prevention alone can’t stop every attack. Firms must assume compromise is inevitable and make rapid recovery their top priority.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
Advanced Tactics and Expanding Targets
Today’s ransomware gangs are more sophisticated. Double extortion—encrypting systems and stealing data to threaten public release—is now routine. Criminals use the data leak as extra leverage to force payment.At the same time, attackers are no longer limited to Windows PCs. Security researchers (Unit42) report that in 2025, intruders are deliberately targeting cloud and virtualized environments, Linux servers, VMware ESXi hosts, and cloud applications by exploiting misconfigurations or weak credentials.In short, modern ransomware can hit any part of the network. MSPs must therefore extend defenses beyond simple endpoints to include servers, cloud workloads, and data services.Real-World Impact on Critical Operations
High-profile breaches illustrate the stakes on both a financial and human level. In the gambling capital of the world, Las Vegas casino operator MGM Resorts suffered an ALPHV/Scattered Spider ransomware attack in September 2023 that took core systems offline for days.The fallout? A staggering $100 million hit to Q3 revenue.Likewise, in healthcare, an attack on Kettering Health in Ohio crippled IT. It immediately forced the cancellation of elective surgeries and the diversion of ER patients, highlighting the human impact of such activity. In parallel, Interlock claims to have stolen 941 gigabytes of highly sensitive data (patient records, financials, etc.).These incidents underscore that attackers deliberately target organizations with zero tolerance for downtime. Groups like Interlock now treat extortion as a marketing ploy, stealing vast troves of data to amplify fear and pressure victims. For healthcare IT and MSPs serving such clients, the key takeaway is that operations must continue even if the network is offline. Sensitive data must never be lost.
Backup & Recovery: The New Front Line
Given this volatile and remorseless landscape, backup and disaster recovery have become the ultimate and crucial last line of defense. Government guidance now emphasizes offline, immutable backups and frequent recovery testing.For example, CISA’s #StopRansomware guidance advises organizations to “maintain offline, encrypted backups of critical data, and regularly test the availability and integrity of backups in a disaster recovery scenario.” Many ransomware strains explicitly try to encrypt or delete accessible backups, so one must assume live backups can be targeted.A modern MSP solution must therefore create extra copies off-network (or in immutable storage) so that at least one clean version survives any attack.In other words, if a client is hit with ransomware, MSPs can roll back to a clean slate without paying the criminals. Crucially, the platform is purpose-built for MSPs. It offers a multi-tenant dashboard, automated reporting, and white-label options to simplify management and show ROI. It even includes ransomware protection features like real-time recovery orchestration and immutable backup copies.In practice, this means MSPs can deliver enterprise-grade disaster recovery to every client, all managed from a single console.Best Practices for MSPs
To turn strategy into reality, MSPs should adopt a multi-pronged approach. Key practices include:- Immutable, tested backups. Follow a 3-2-1(-1) rule: keep multiple backups (onsite and offsite) and at least one copy offline or in immutable storage. This means that even if attackers gain control, they cannot erase all recoverable data. Store critical data snapshots in an air-gapped or locked-down vault.
- Regular recovery drills. Schedule systematic DR tests and ransomware simulations. Industry guides recommend that MSPs routinely run full-scale recovery tests (and document the results) to prove backup health. Create diverse test scenarios—for example, simulate a cyberattack by encrypting test machines or shutting down servers—to validate that RTO/RPO targets are met. Testing uncovers gaps in procedures or tools before a real disaster strikes.
- Incident response planning. Develop and rehearse an IR plan that integrates backup recovery. CISA and MS-ISAC stress maintaining an updated ransomware response plan (including communications protocols) and exercising it periodically. It might sound obvious, but it is critical to ensure staff know who does what when a breach hits. This should include steps for detecting intrusions and invoking the recovery workflow. Having a clear and practiced plan—including simple but effective tactics like offline copies of contact lists and passwords—can shave hours or days off recovery time.
