Ransomware Techniques Are Changing. Are MSPs Ready for This Shift?
Ransomware is evolving ‒ not fading. Despite a decline in attack detections based on WatchGuard Firebox telemetry, data from extortion sites and media reporting tells a different story: ransomware activity is actually on the rise, both quarter-over-quarter and year-over-year. The number of active ransomware groups is also increasing, as is the average ransom demand. In fact, the typical payout jumped from $400,000 in 2023 to $2 million in 2024 ‒ a staggering 500% spike.
Rather than casting a wider net, attackers are becoming more selective and strategic. Many groups now operate under the ransomware-as-a-service (RaaS) model, refining their tactics to maximize profits with fewer ‒ but more impactful ‒ victims. Data theft without encryption is also becoming a common pressure tactic. Incidents like the Clop group’s MOVEit supply chain exploit highlight just how stealthy, targeted, and complex today’s ransomware operations have become.
The Changing Approach to Ransomware
Attackers are currently adopting new practices that redefine how they select their targets and execute their ransomware campaigns. For managed service providers (MSPs), understanding this shift enables them to adjust their defense strategies and protect their customers. The key changes include:
- Growth of the ransomware-as-a-service (RaaS) model: this method continues to spread, allowing malicious actors without advanced technical knowledge to access kits and services ready to deploy ransomware campaigns, contributing to the diversification of attacks.
- Increased prominence of groups such as Ransomhub and Clop: following the demise of LockBit, these gangs have established themselves as the most active players, targeting large organizations.
- Supply chain attacks: exploiting vulnerabilities in widely used solutions allows cybercriminals to compromise numerous companies from a single point of entry. The MOVEit attack is a prime example.
- Data exfiltration as a dominant extortion technique: groups are increasingly prioritizing the theft of sensitive and confidential information and threaten disclosure as a way of exerting pressure on their victims. This has pushed traditional system encryption into the background.
- Network traffic encryption is increasingly used by attackers: this is confirmed by the latest Internet Security Report, as 71% of today's malware is distributed over encrypted connections (TLS). This makes technologies such as deep packet inspection (DPI) and behavioral analysis essential for detecting threats that would otherwise go undetected.
Faced with an increasingly sophisticated ransomware landscape that aims to maximize impact while targeting fewer victims, MSPs need to adopt an approach that allows them to isolate incidents quickly and prevent them from spreading. Implemented together with robust network and endpoint security solutions, network micro-segmentation, rigorous control of internal traffic, and individualized protection of each endpoint are crucial measures that strengthen response capacity and help reduce the impact of these attacks.
Deploying tools that balance efficiency and flexibility and are aligned with real security needs and business logic can make all the difference for MSPs. This strategy enables them to maintain a constant level of protection and anticipate the latest threat techniques, safeguarding the business continuity of the organizations that rely on their services.
