NEED TO KNOW: The ConnectWise 2025 MSP Threat Report

The new ConnectWise 2025 MSP Threat Report paints an extremely scary picture for MSPs. Cyberattacks are getting more sophisticated, frequent, and harder to stop. But that doesn’t mean channel pros are powerless. By understanding the latest trends and following some key cybersecurity tips, you can stay ahead of the bad guys.

Here are the biggest takeaways from the report and what they mean for MSPs like you.

Ransomware is Changing (and Not in a Good Way)

Ransomware on a laptop

• What’s happening? Ransomware gangs are shifting gears—instead of hitting big corporations, they’re going after smaller businesses.
• Why it matters: Attackers see SMBs as easier targets. If you’re an MSP, you’re the gateway to a whole lot of them.
• The numbers: The FBI took down Lockbit, a prominent ransomware-as-a-service group, in 2024 and released 7,000 decryption keys. But even when justice is swift, the overall pace of cybercrime doesn’t slow down.
• Cybersecurity tips: If your clients are vulnerable, so are you. Mandate multi-factor authentication (MFA). Automate patching. Don’t tolerate shadow IT—employees shouldn’t have free reign to install software. Disable Remote Desktop Protocol (RDP) whenever possible. Set up geo-blocking so only users from approved locations can log in.

Hackers Want Your Data Now

• What’s happening? According to ConnectWise’s research, ransomware groups aren’t just locking up files anymore. They’re increasingly focused on stealing sensitive data and demanding ransoms.
• Why it matters: Even if you have backups, your clients still don’t want their payroll records or customer lists leaked online.
• The numbers: Groups like RansomHub are leading the charge, skipping encryption entirely and just extorting companies for stolen data.
• Cybersecurity tips: Encrypt data at rest so even if it is stolen, it can’t be easily read. Encrypt data in transit as it moves across networks. Don’t store your client’s encryption keys on the same network as production data because if they’re stolen along with the data, the encryption is useless.

Hackers are Beating EDR

• What’s happening?  Attackers are getting really good at disabling, bypassing, or tricking endpoint detection and response (EDR) solutions.
• Why it matters:  If your security plan starts and stops with EDR, you’re playing a dangerous game.
• The numbers:  EDR-killer tools surged in use in 2024. Multiple ransomware groups deployed EDRKillShifter, Terminator, and AuKill to disable or bypass endpoint detection solutions before launching attacks.
• Cybersecurity tips: Implement Zero Trust principles to segment critical data and reduce attack surfaces. Don’t over depend on EDR. Complement it with other security tools like SIEM, which leverages behavior-based detection to identify threats before they cause harm.

CAPTCHA can be used to fool users into installing malware

Drive-By Attacks are Making a Comeback

• What’s happening? Hackers are sneaking malware into websites, fake ads, and even bogus CAPTCHA pages to trick users into installing malware.
• Why it matters: Your clients don’t need to click a sketchy email attachment to get infected anymore—just visiting the wrong website is enough.
• The numbers: 22% of all cyberattacks now start with drive-by compromises.
• Cybersecurity tips: Train users to think twice before clicking “fix this error” or “install this update” messages. Also, use ad blockers and DNS filtering to keep them off malicious sites.

Hackers Love Targeting Firewalls and VPNs

• What’s happening?  Cybercriminals are going after edge devices like VPNs and firewalls because they’re often outdated or misconfigured.
• Why it matters: Once attackers break in, they have full access to client networks—and some MSPs don’t notice until it’s too late.
• The numbers: ConnectWise stated that 84,000 attacks targeted edge devices from Cisco, SonicWall, Palo Alto, Citrix, and Ivanti last year alone.
• Cybersecurity tips: Attackers frequently exploit unpatched VPNs and firewalls within 24 hours of a disclosed vulnerability. You’ll need to act fast. Automate patching, disable unused remote access ports, and enforce MFA on all administrative logins.

Cybersecurity Tips for MSPs

Read the research and collaborate on a plan

With cyberattacks getting more advanced, MSPs can’t afford to be reactive. Here’s how to get started:

• Read the research: The ConnectWise report is a fantastic place to start.
• Stack your security: Don’t trust one tool to handle everything. Layer your defenses with EDR, SIEM, MFA, and strong access controls.
• Patch everything, ASAP: 60% of exploited vulnerabilities in 2024 were brand new, meaning old systems get targeted fast. Patch your clients’ software and hardware religiously.
• Train your clients: Most attacks start with human mistakes. Make security training part of their routine, not just an afterthought.
• Watch for new threats: Cybercriminals are always adapting—stay ahead with threat intelligence feeds and regular security assessments.
• Limit access: Attackers love weak VPNs and exposed RDP. Make sure clients use zero-trust security, limit who can access what, and lock down external-facing services.
• Attend cybersecurity events: ChannelPro DEFEND is an event series for MSPs custom-built to strengthen cybersecurity skills and knowledge.
• Use free resources: Our Cybersecurity Resource Center and Cybersecurity Answer Center were made to help you.

The Bottom Line

• 78% of MSPs worry a cyberattack could put them out of business.
• 83% of MSPs are increasing their cybersecurity budgets this year.
• Attacks aren’t slowing down—hackers are just getting smarter.
• ConnectWise’s research is clear: if you’re not taking security seriously, it’s not just your clients that are in danger. You’re putting your entire MSP business on the line.

Images: iStock