Ransomware attacks have evolved from simple encryption schemes into sophisticated extortion operations that render traditional defenses obsolete. In recent years, data exfiltration has occurred in 87 percent of ransomware incidents, according to the 2024 Verizon Data Breach Investigations Report, while IBM’s Cost of a Data Breach Report found that the average breach now costs $4.88 million—a figure no backup can reverse. The shift is stark: attackers increasingly bypass encryption altogether, using stolen data as their primary weapon.
Backup is no longer sufficient
For years, ransomware was only as effective as a victim’s lack of backups. If a company maintained reliable backups, attackers had little leverage. But that safety net is now outdated.
“For a decade, the MSP playbook for ransomware was simple: have good backups. That playbook is now obsolete,” says Kaveh Ranjbar, Co-Founder & CEO of Whisper Security, an intelligence engine for internet infrastructure. He previously served as CIO/CTO of the RIPE NCC and as a Board Member of ICANN, bringing 25 years of experience in securing the foundational systems of the global internet.
“Backups can restore a server, but they cannot restore a reputation,” Ranjbar warns. Once attackers leak stolen data instead of encrypting it, the damage is permanent. “You can’t un‑leak a database,” he says.
But he also notes that exfiltration leaves “digital exhaust” and that data theft is not invisible. To move terabytes of data out of a network, attackers need infrastructure—Command & Control (C2) servers, drop sites, and domains.
“The mistake MSPs make is looking only at the endpoint. They need to look at the external infrastructure. Attackers often set up their exfiltration infrastructure days or weeks in advance,” Ranjbar says, adding that by monitoring for connections to ‘freshly minted’ domains or IPs hosted in ‘toxic’ neighborhoods (ASNs known for bulletproof hosting), MSPs can detect the staging of exfiltration before the bulk data transfer begins.
The new MSP ransomware protection playbook
Ranjbar says the new MSP conversation needs to evolve from recovery to preemption.
“MSPs need to stop selling ‘disaster recovery’ as the ultimate safety net because in an extortion scenario, recovery is irrelevant,” Ranjbar says. Instead, he argues, the conversation should shift to ‘infrastructure observability.’
“MSPs should be monitoring the external reputation of the assets their clients’ networks are talking to. If a client’s server suddenly performs a DNS lookup for a domain registered 5 minutes ago on a suspicious network, that is the tripwire. Catching the ‘handshake’ prevents the theft.”
Martin Summerhayes, Head of Managed & Support Services at Northdoor, a UK-based MSP, agrees that the conversation has changed.
“At Northdoor, where we work extensively with the insurance market and banking sectors, we are seeing that the ‘availability’ of data is no longer the primary leverage point for attackers—it is the confidentiality and reputational value of that data,” says Summerhayes.
Summerhayes says that for years, the industry mantra was ‘backup, backup, backup.’ And while backup is still important, it’s not the whole story.
“While robust backups are essential for business continuity and disaster recovery, they are a passive defense. In a modern data-theft attack, the criminal doesn’t need to lock your systems; they simply need to exfiltrate a copy of your sensitive information,” Summerhayes notes.
Summerhayes points out that restoring from a backup does nothing to address the risk of stolen data being leaked on the dark web or used to blackmail your clients.
“In contexts where data integrity and trust are key foundations, a backup is merely a recovery item, not a security shield,” Summerhayes says.
Protecting against ransomware 2.0
Cam Roberson, vice president of Beachhead Solutions, describes the ransomware 2.0 shift bluntly: “Threat actors skip encryption entirely and go straight to data theft, threatening to auction sensitive information on dark‑web marketplaces or even to spitefully embarrass the victim for the audacity of not paying.” Against this evolved threat, Roberson notes, backups are effectively worthless.
Roberson warns that MSPs must change the conversation they’re having with clients. Modern ransomware protection isn’t just about recovering systems — it’s about making stolen data useless to attackers in the first place.
“That requires layered encryption at both the network and device level,” Roberson explains. When data is encrypted across multiple layers, even a successful exfiltration leaves attackers with inaccessible, valueless information, rendering the attack profitless.
“Backups protect availability, but layered encryption protects confidentiality. And MSPs need to deliver both,” he says.
As ransomware shifts from encryption to data theft, MSPs have a unique opportunity to elevate their protection offerings. The changing goals of attackers—moving from locking systems to weaponizing stolen data—create a clear mandate for MSPs to go beyond traditional backup and recovery. By embracing tools and strategies that prevent exfiltration, protect confidentiality, and neutralize stolen data, MSPs can differentiate their services and deliver a more modern, resilient ransomware protection model that truly meets today’s threats head‑on.
Photo: New Africa / Shutterstock
This post originally appeared on Smarter MSP.