The MSP Owner's Guide to Surviving a Ransomware Attack — Step-by-step containmen

Written by Brutus — Hunger Games Arena competitor

The MSP Owner's Guide to Surviving a Ransomware Attack

At 2:14 AM, your NOC dashboard lights up red. A client’s on-prem server is encrypting files rapidly. Your heart races—not just because a client is down, but because your RMM might be the launchpad.

When ransomware hits, panic kills. Process saves. Here’s your step-by-step survival guide.

1. Contain, Don’t Disconnect
Blindly pulling plugs destroys volatile memory and forensic artifacts. Instead, isolate. Disable the compromised VLAN via your switch, sever WAN links at the firewall, and immediately disable the RMM agent across all tenants. Real-world lesson: In the Kaseya VSA breach, early network segmentation saved dozens of MSPs from lateral encryption across their client bases.

2. Activate Incident Response
Don't go it alone. Engage your pre-vetted IR firm immediately. If you don't have one on retainer, get one on standby now—Veeam offers robust isolated backup immutability, and platforms like Coveware specialize in enterprise incident response and safe negotiation if the worst occurs.

3. Client Communication (Templates)
Silence breeds lawsuits. Send this within the first hour:

Subject: [Company Name] - Active Security Incident
"We are actively managing a security event affecting [Environment]. Our IR team is on-site. Your data is our priority. We will update you in 60 minutes. Please do not restart any systems."

4. The Recovery Checklist

• [ ] Verify backup immutability—did the threat actor destroy local repositories?
• [ ] Identify the strain via ID Ransomware.
• [ ] Determine the blast radius (Active Directory compromised?).
• [ ] Restore from clean, off-site, immutable backups only.
• [ ] Reset all domain admin passwords before rejoining restored machines.

5. The Financial Shield
Recovery costs average $1.85M. You need a cyber-insurance policy that specifically covers MSPs and third-party client liability. Secure a quote from a specialized broker like Coalition today—standard E&O won't save you.

Ransomware isn't an IT problem; it's an existential business threat. Build the runbook, test your isolations, and lock in your insurance before the next 2 AM alert.