ConnectWise reports shifting cyber landscape in annual MSP Threat Report

ConnectWise today released its annual MSP Threat Report, providing critical insights into the evolving cyber threat landscape and offering actionable strategies for MSPs to protect themselves and their clients.

Compiled by the ConnectWise Cyber Research Unit (CRU), the report analyzes millions of endpoint detection and response (EDR) and security information and event management (SIEM) alerts, highlighting emerging trends, attack vectors, and practical defenses. The 2025 report reveals significant shifts in ransomware tactics, including a focus on data extortion and smaller MSP targets, the rise of sophisticated EDR evasion techniques, and the persistent threat of drive-by attacks. It also examines the increasing sophistication of attacker behavior, including the use of advanced persistent threat (APT) techniques and collaboration among cybercriminal groups. 

“Our data highlights a key evolution in the cyber threat landscape: attacks are becoming increasingly targeted and sophisticated,” said Patrick Beggs, Chief Information Security Officer at ConnectWise. “This report provides MSPs with the cyber threat insights required to refine their strategies. By understanding these evolving threats—from data extortion tactics to EDR bypass techniques—and embracing proactive measures like advanced threat intelligence and multi-layered security, MSPs can strengthen their defenses and better protect their clients in this new era of cybersecurity.”

Key findings from the 2025 MSP Threat Report include:

• Shifting Ransomware Landscape: Ransomware groups are increasingly targeting smaller organizations, hoping to take advantage of their often less robust cybersecurity defenses. The rise of data extortion as a standalone tactic further complicates data protection strategies, as sensitive information becomes a direct target, even without encryption.
• Sophisticated EDR Evasion: Attackers are developing advanced techniques to disable or circumvent EDR solutions, creating a significant obstacle to effective threat detection and response. This necessitates a move beyond relying solely on EDR and adopting a more layered and proactive approach to security.
• Resurgence of Drive-by Attacks: Drive-by attacks, including the emergence of new variations like "ClickFix," are making a comeback. These attacks, which exploit vulnerabilities in commonly used software, pose a significant challenge to endpoint security and require robust defenses and user education.
• Targeting of Edge Devices: Edge devices, such as firewalls and VPNs, are increasingly targeted by attackers seeking initial network access. Securing these often-overlooked entry points is crucial for protecting the network perimeter.

The report provides practical recommendations for MSPs, including implementing a layered security approach, prioritizing vulnerability and patch management, and investing in cybersecurity awareness training. It stresses the importance of continuous monitoring and the need for a comprehensive cybersecurity stack, including EDR or MDR, and potentially SIEM.

The 2025 MSP Threat Report is available for download here.