MSPs: ransomware’s #1 target of 2026 [Field Report]

Published May 2026.

If you want to understand why one ransomware operator can claim a dozen separate downstream victims from a single intrusion, look at the managed service provider tier of the IT industry. By early 2026 MSPs are routinely the highest-leverage entry point in the ransomware ecosystem, not because their security is uniquely bad, but because their architecture is uniquely valuable: one set of admin credentials reaches into dozens of small and mid-sized organisations whose own perimeter is often impossible to attack directly. Compromise the MSP and the downstream customers come along free.

This piece is a 2026 field guide to that pattern: why MSPs became the front line, which TTPs are running against them specifically, what the better-run shops in the channel have already changed, and what an SMB choosing an MSP should be asking about.

Why the MSP tier became the soft underbelly

• Customer concentration. A single MSP often manages between 50 and 500 customer environments. An attacker who compromises the MSP’s privileged-access workstation, RMM platform, or backup console has working credentials into every one of those customers simultaneously. The economics for the attacker shift from one victim per intrusion to dozens.
• Privileged tooling with internet exposure. The defining technologies of the MSP channel, RMM platforms (ConnectWise Automate, Kaseya VSA, NinjaOne, Datto RMM, N-Able), PSA platforms (Autotask, ConnectWise Manage), and bundled backup/restore software, are inherently exposed: they need internet reachability to manage geographically-distributed customer endpoints. The 2021 Kaseya VSA incident proved that this exposure can be weaponised; the 2024 ConnectWise ScreenConnect vulnerabilities (CVE-2024-1709 and related) demonstrated the pattern was structural.
• Shared credential surfaces. Many MSPs still use shared local-admin passwords across customer environments. The same password the technician used for a printer setup at customer A in 2022 still works on a workstation at customer B in 2026. The blast radius of one credential leak is the whole portfolio.
• SMB customers without independent controls. The downstream SMB doesn’t typically run its own EDR, doesn’t monitor its own AD, and outsources backup verification to the same MSP that just got compromised. The detection layer that would catch the attacker laterally moving inside that customer’s network simply doesn’t exist.

The TTPs operators run against MSPs specifically

Three attack chains dominate MSP-targeting in 2026, in rough order of prevalence:

• RMM-platform exploitation. Mass-exploitation campaigns following each new CVE in the major RMM platforms. The window between public disclosure of an authentication-bypass or RCE in an RMM product and the first exploited-in-the-wild campaign has shortened to under 48 hours for several 2024–2025 incidents. The attacker doesn’t target one MSP; they scan for unpatched RMM instances and exploit at scale.
• Stealer-log-driven credential theft. An MSP technician’s personal device gets infected by an infostealer (typically via a cracked-software lure, malvertising chain, or family-member-shared laptop). The stealer log surfaces on a Telegram channel days later with the technician’s RMM-portal cookies and admin credentials intact. An initial access broker filters the log, identifies the corporate-MSP context, and sells the access for $20,000–$80,000 to a ransomware affiliate. We covered the underlying mechanic in our piece on session-cookie theft.
• Phishing-of-the-helpdesk. Targeted social engineering against the MSP’s own service-desk staff, “Hi, this is the new IT contact at Acme Corp, can you reset our admin password and add a number for callback verification”, designed to compromise the customer-side rather than the MSP-side credentials. The 2023 MGM Resorts incident was the canonical demonstration; the technique remains highly effective against helpdesks that haven’t hardened their verification workflows.

What the better-run MSPs have changed

The MSP channel responded to the 2021–2024 wave of incidents with substantive operational changes. Walking the floor at the major MSP conferences in 2025 and 2026, the controls that distinguish the better-run shops are consistent:

• Phishing-resistant MFA on every privileged action, not just sign-in. Hardware-key (YubiKey, Titan) or device-bound passkey required for any admin-tier action in the RMM, PSA, or customer-VPN consoles. A stolen technician session cookie can’t escalate without a fresh key tap.
• Per-customer credential isolation. The end of shared local-admin passwords. Each customer environment has its own LAPS-rotated local admin set, vaulted in a separate slot of the password-management tool, with audit logs on retrieval. One credential compromise affects one customer.
• RMM tenant-isolation and per-customer signing keys. Where the RMM platform supports it, customer environments are isolated into separate tenants with their own signing keys, so a compromise of one tenant doesn’t cascade to every other tenant on the same MSP account.
• Privileged-access workstations. The single most operationally impactful control: dedicated, clean-build laptops used only for RMM and customer-admin work. No personal email, no general browsing, no Office, no Slack. Eliminates the cross-contamination path that infostealers rely on.
• Customer-side EDR with central visibility. The better MSPs now bundle EDR (Huntress, Blackpoint, SentinelOne MSP tier, ThreatLocker, Sophos MSP) into every customer environment by default rather than as an upsell, so the downstream lateral-movement step is detectable independently of MSP-side compromise.
• Helpdesk verification hardening. Out-of-band verification on every password reset, callback to a known-good number, refused-without-exception engagement with “urgent” social-engineering pressure. Some shops have switched to video-call verification for any high-risk request.

What an SMB choosing an MSP should ask

If you’re an SMB owner choosing between MSPs in 2026, six questions separate the operationally serious from the rest:

• Do your technicians use dedicated privileged-access workstations for admin work, or do they admin from their general daily laptops? The answer should be “PAWs.” If it’s anything else, you’re carrying their non-isolation risk.
• Is phishing-resistant MFA mandatory on every admin action in your RMM and your customer-VPN console? Hardware key or passkey, not SMS or push notification.
• How do you rotate and vault local admin credentials across customer environments? The right answer references LAPS or a dedicated PAM tool with per-customer scoping; the wrong answer is “shared spreadsheet” or “they don’t change much.”
• What’s your customer-side EDR posture? Bundled and centrally monitored is the right answer; “available as an upsell” suggests you’re an upsell candidate.
• How does your helpdesk verify identity on password-reset and admin-change calls? Out-of-band callback to a known number is the floor; anything weaker is a 2026 mistake.
• How do you back up customer environments, and where do the backups live? The backup storage must not share a credential surface with the production environment it’s backing up. See our backup picks for the architecture.

The regulatory dimension

Through 2025 several US state regulators began directly engaging with MSP security posture as part of breach inquiries, questioning whether the MSP’s negligence was a proximate cause of the downstream customer breach, and whether contractual indemnification structures held up under that lens. The UK’s National Cyber Security Centre published practitioner guidance for MSPs specifically. The EU’s NIS2 directive now reaches into the MSP tier in any member state.

The practical effect on the channel: cyber-insurance underwriting for MSPs tightened materially in 2024–2025, and renewal quotes in 2026 are asking specific questions about the controls listed above. An MSP that can answer “yes, we run PAWs, we have phishing-resistant MFA on admin actions, we don’t share local-admin passwords” is paying noticeably less premium than one that can’t.

Where this goes

The MSP-as-target pattern is unlikely to reverse. The economics are too good for attackers and the architectural concentration that makes MSPs valuable to customers (one technical team for many customers) is the same thing that makes them valuable to attackers. The trajectory is toward MSPs operating under increasingly enterprise-like security expectations even when serving SMB customers, and toward the SMBs that choose MSPs treating that choice as a security decision rather than a procurement one.

For defenders inside MSPs reading this in mid-2026, the actionable takeaway is to internalise that you are now the front line. Your security posture, more than your customer’s, determines whether your customer survives a ransomware attempt. That’s a heavy responsibility, but it’s also a defensible commercial position once your customers understand the model. The MSPs who price their security investment into their service correctly, and explain it well, are growing in 2026. The ones who under-invest are losing customers to better-run competitors.

Further reading

• CISA, NSA, FBI joint MSP advisory, the foundational US-government guidance for MSPs and their customers.
• UK NCSC guidance for MSPs, equivalent UK-side framework.
• Our own AD hardening tutorial, directly applicable to MSP-side privileged-access workstations.
• Our backup picks, the immutability story that has to hold up when the MSP’s own infrastructure is the target.
• MITRE ATT&CK T1199, Trusted Relationship, the formal technique reference for the entire MSP-attack class.

The channel that brought millions of small businesses cost-effective IT also became, by 2026, the channel through which a single ransomware affiliate can reach those same businesses at scale. That isn’t a failure of any individual MSP, it’s a structural reality of the model. The good news is that the controls that meaningfully change the picture are known, deployable, and increasingly priced into what cyber-insurers will underwrite. The bad news is that the gap between the MSPs that have deployed them and the ones that haven’t is the dividing line between which of their customers survive 2026.