COMMENTARY: In the intricate web of modern business, managed service providers (MSPs) are the unsung heroes, diligently maintaining the digital infrastructure that keeps countless companies operational.From managing IT networks to cloud services and cybersecurity, MSPs are the trusted backbone for businesses large and small. However, this critical role has made them an increasingly attractive and lucrative target for cybercriminals, particularly ransomware groups.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Today, we have witnessed a concerning trend in which attacks on MSPs are no longer isolated incidents, but a deliberate strategy, exploiting their position as a single point of failure to inflict widespread damage and maximize financial gain.These attacks are financially motivated, and the scale sets them apart. By compromising an MSP, attackers gain access to not just one victim, but a vast network of their downstream customers. This supply chain exploitation lets ransomware groups cast a wider net, disrupting numerous businesses, impacting critical financial transactions, and extorting a larger collective ransom. It’s about hitting a main junction, a central nervous system, to achieve maximum leverage and impact.Recent years, and particularly 2024 to 2025, have highlighted this escalating threat. We have seen a string of incidents demonstrating the devastating ripple effect of MSP breaches. In March 2025, a supply chain attack on third-party provider LES Automotive led to the compromise of more than 100 car dealership websites. The malicious code injected into their systems tricked users into executing malware, showcasing how a single vulnerability in a vendor can cascade into a widespread client impact.Similarly, the Akira ransomware group’s attacks on Tietoevry in January 2024 and Südwestfalen IT in October 2023 caused significant disruptions for government agencies, universities, and municipalities in Sweden and Germany. Even a flaw in a critical security vendor like CrowdStrike in July 2024, though not a direct hack of an MSP, illustrated the immense financial toll – estimated at over $1 billion dollars – when foundational IT services are disrupted.One of the most recent and prominent examples of this trend includes the ransomware attack on IT distributor Ingram Micro in early July 2025. The SafePay ransomware group, an aggressive new player on the scene, claimed responsibility for the incident.Ingram Micro’s initial public communication, as seen on their information page, acknowledged a "cybersecurity incident" and "ransomware on certain of its internal systems," stating they took systems offline and launched an investigation with cybersecurity experts and law enforcement.While they expressed apologies for the disruption to customers and partners, the immediate statements by Ingram Micro lacked specific clarity on the extent of the damage, which customers were affected, or the full financial implications. This initial lack of transparent ownership, while perhaps part of a carefully managed crisis response, can fuel uncertainty among affected parties. News reports later indicated that the attack significantly impacted Ingram Micro's order processing and fulfillment operations, causing widespread operational delays and highlighting the profound business interruption that can result from compromising such a central player in the IT supply chain.The implications for customers of a compromised MSP are dire. They may face significant downtime, data breaches leading to exposure of sensitive information, reputational damage, and substantial financial losses because of lost revenue and recovery costs. For smaller businesses particularly, a cyberattack on their MSP can present an existential threat.The escalating trend of targeting MSPs underscores the significant supply chain risks inherent in modern business operations. When one link in the chain gets compromised, the integrity of the entire ecosystem is threatened. This necessitates a profound shift towards shared responsibility in cybersecurity.MSPs bear the crucial responsibility of securing their own infrastructure, and also the vast networks of their clients, while businesses relying on MSPs must exercise due diligence in vetting their providers and understanding the inherent risks.Proactive preparation, a well-defined and practiced response plan, and a collective commitment to robust security practices are the best defenses against becoming the next headline nobody wants to read.Shira Shamban, vice president of cloud, CYESC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Six tips for responding to a hack
In the event of a cyberattack, the following clear actions become very important:- Containment: Immediately isolate affected systems and networks to prevent further spread of ransomware. This might involve taking systems offline or disconnecting devices from the network.
- Contact the insurance company: Immediately notify the company’s cyber insurance provider. They will likely engage incident response specialists and legal counsel who are experienced in handling such breaches. Do not investigate alone, as legal and forensic expertise are vital.
- Communication: While avoiding premature disclosures that could aid attackers, prepare to communicate transparently and responsibly with affected customers, partners, and regulators as advised by legal counsel. This rebuilds trust in the long run.
- Forensic investigation: Let cybersecurity experts conduct a thorough forensic analysis to understand how the breach occurred, what data was accessed or exfiltrated, and to identify the root cause.
- Remediation and recovery: Based on the investigation, work with experts to eradicate the malware, restore systems from clean backups, and implement stronger security measures to prevent future attacks. Prioritize critical systems for restoration.
- Post mortem: Conduct a detailed post mortem analysis to learn from the incident, identify weaknesses, and continuously improve the company’s security posture and incident response capabilities.
