Are MSPs equipped to offer ransomware recovery?

A 2D mockup image of a business paying a cyber criminal for a ransom
(Image credit: Shutterstock)

With the undeniable growth of ransomware (80% in 2016, according to McAfee), managed service providers (MSPs) have recognised that there is a clear need for ransomware recovery. Of course, there are varying perspectives on how this need affects the channel. Some speak of ransomware as a new opportunity for MSPs to remain relevant to their customers and increase revenue, while others view it as an additional cost. Both views, in fact, have some validity to them. There is no denying that MSP customers need ransomware recovery services, but whether or not offering them is profitable for an MSP depends on one thing: is the MSP equipped to help its customers recover from ransomware?

The challenges of offering ransomware recovery


Ransomware variants are proliferating at lightning speed, and they are becoming more sophisticated. LockerPin can reset the PIN on Android devices, while Locky has been targeting Skype users with fake Adobe Flash in-app adverts. Entire hard drives have been rendered inaccessible by Petya, and Virlock is exploiting the sync-and-share functionality of cloud-based applications to spread from system to system. Maktub Locker can even determine the victim's exact location and includes the target's home address on a counterfeit overdue payment notice attached to a phishing email.

Prevention is better than a cure, so an effective ransomware recovery strategy must begin before an attack ever occurs. The foundation of an effective ransomware response is secure off-site data vaulting, whether in the cloud or a secure data centre facility. Without having the necessary infrastructure to offer secure backups at frequent intervals, ransomware recovery becomes nearly impossible.

Of course, backing up data alone is not a foolproof strategy. If malware infiltrates the network undetected and infects the backups, restoring them will do no good. To prevent and detect attacks as soon as possible, the customer's perimeter should be protected at as many entry points as possible. These entry points include servers, computers and any personal devices being used for business purposes.

MSPs must be able to provide robust firewalls and sophisticated unified threat management (UTM) devices combined with file-level anti-virus; intrusion detection and prevention; deep packet inspection; port scanning and protocol inspection and perimeter anti-virus and malware blocking.

Response time

Ransomware recovery is a countdown that leaves little margin for error. While some strains of ransomware have a weeklong deadline for paying the ransom, others are more aggressive. Jigsaw, for example, gives the victim 24 hours to pay and begins deleting files every hour thereafter. After 72 hours have passed, the malware eradicates any remaining files.

Unfortunately, even businesses that are able to successfully recover from a ransomware attack do not emerge unscathed. In a survey by Imperva, carried out at the RSA 2017 security conference, 59% of those questioned said downtime was the largest business impact of a ransomware attack. According to 29% of respondents, downtime would cost $5,000-$20,000 (approximately £3,900-£15,600) per day, while another 27% estimated it would cost more than $20,000 per day. Considering that recovering from a ransomware attack can take as long as a week, businesses affected by this kind of incident face the potential for a £109,000 price tag in downtime alone. For small businesses, this figure is untenable.

MSPs must be able to fulfil strict service level agreements (SLAs). For instance, when one of our customers at IT Specialists (ITS) was impacted by ransomware, we received an alert for one of the client's servers at 6 a.m. one weekday. Fortunately, we were able to recover the server from backups in less than two hours. However, if we hadn't had alerts configured properly or if the backups were not in place, the ransomware would have erased the data within 72 hours.


In response to 2016 research by Kaspersky Lab, nearly half of businesses worldwide admitted that they had experienced a shortage in cybersecurity talent. It's no surprise that IT security professionals are hard to come by, as they require a unique set of abilities. In addition to having advanced technical knowledge, they must be able to educate employees on IT security best practices, discern the business' risk profile and advise top-level management on how to improve the organisation's security posture. A combination of rapidly evolving cyber threats and the booming UK tech industry are further contributing to this skills gap.

MSPs will face the challenge of the cybersecurity skills shortage as well, so before offering ransomware recovery, they must ensure they have secured the necessary security talent to support the service. Without the necessary expertise, ransomware recoveries could cost the MSP – especially if the client ends up having to pay the ransom or rebuild deleted files.

Overcoming barriers to offering ransomware recovery

Despite the challenges of adding ransomware recovery to their service portfolios, MSPs cannot afford to ignore it. While not all SMBs have realised the value of cybersecurity, many are waking up to the fact that they need a response protocol for cyber threats ‒ or else they will risk their data and profits. The MSP that can offer this service along with the other IT support services the business needs is the one that will win the client long term. If an MSP isn't currently equipped to offer these services, does that mean it must offer a service knowing full well they can't support it adequately? Alternatively, should the MSP surrender current and potential clients to competitors that can offer ransomware recovery? The answer to both questions is a resounding no.

MSPs that are not currently in a position to offer ransomware recovery have two courses of action:

Invest in resources and develop processes to provide a complete solution

Providing a truly effective ransomware recovery service begins with investing in the requisite data and network security tools ‒ but that's only the first step. Staff shortages can lead to network security tools quickly becoming outdated, as they often do not receive the attention they need. To mitigate this problem for customers, MSPs must be prepared to assist with the implementation process, perform periodic maintenance, offer ongoing support and, of course, restore systems following any ransomware attacks. This investment can be extended to provide a security offering above just ransomware recovery.

While there is CAPEX involved in building this solution, in some cases it will yield positive ROI. A cost-benefit analysis that considers the percentage of the client's current and future customers that would use this service can help determine whether this route is ideal. Of course, it's important to consider the fact that when an organisation's critical data and profits are at stake, business leaders will likely prioritise a vendor with security offerings and experience in ransomware recovery. It's worth noting that developing a complete solution could be impacted by the aforementioned lack of security talent. If the risks outweigh the benefits of building out a solution, there is a second option.

Partner with a larger MSP

Partnering with a larger MSP allows a smaller MSP to leverage the resources and expertise a channel programme offers. By giving customers the ransomware recovery services they require, the MSP can prevent customers from defecting to competitors and focus its resources on its core competencies. A forward-looking channel partner programme can also help MSPs keep pace with technology growth and even expand their ability to reach additional customers.

When deciding on a channel partner programme, it's important to consider the length of time the company has been in business, the strength of its resources and the level of support it will provide to its channel partners and their customers. As stated previously, simply offering security tools is insufficient, so MSPs should ask prospective channel partners about their engineer qualifications and available cybersecurity talent.

As cyber threats continue to evolve and more small businesses realise the potential consequences of a ransomware attack, MSPs will need to be prepared to provide the protection their customers require. Whether or not offering this type of support will be a burden or opportunity depends on the MSP's IT resources, staff skills and ability to respond quickly to threats. If the MSP is lacking in any of these areas, the time to remedy them is now.

Paul Barber is an infrastructure manager at IT services provider, IT Specialists (ITS).