Security

What Recent Ransomware Campaigns Teach MSPs About Supply Chain Security

Recent ransomware campaigns have shown that attackers increasingly target trusted software and service providers to reach multiple organizations. Learn the biggest supply chain security lessons for MSPs and how stronger vendor governance, patch management, and RMM practices can help reduce risk.

Level

Monday, July 6, 2026

What Recent Ransomware Campaigns Teach MSPs About Supply Chain Security

Ransomware groups are increasingly looking beyond individual organizations and targeting the trusted technologies and service providers that connect multiple businesses. For managed service providers (MSPs), this shift means supply chain security is no longer just a concern for software vendors. It is a core part of protecting customer environments.

MSPs often rely on remote monitoring and management (RMM) platforms like Level to manage endpoints, deploy updates, automate maintenance, and provide remote support. As recent ransomware campaigns have shown, the security of those tools, along with the vendors behind them, can have a significant impact on every customer an MSP supports.

The biggest lessons from recent ransomware campaigns are:

  • Secure and monitor remote management tools.
  • Prioritize vulnerabilities that attackers are actively exploiting.
  • Continuously evaluate software vendors and third-party providers.
  • Prepare for recovery before an incident occurs.

Supply Chain Security for MSPs

Supply chain security is the practice of managing cybersecurity risks introduced by software vendors, cloud providers, service providers, hardware manufacturers, and other trusted third parties.

For MSPs, the supply chain extends beyond software purchases. It includes every vendor and platform that has administrative access to customer environments or stores sensitive operational data.

The NIST SP 800-161 Rev. 1 Update 1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations explains that organizations should incorporate suppliers and service providers into their overall cybersecurity risk management strategy rather than treating them as separate concerns. The NIST SP 1305: Cybersecurity Framework 2.0 Quick-Start Guide for Cybersecurity Supply Chain Risk Management further recommends identifying critical suppliers, understanding dependencies, and continuously assessing supplier risk over time.

This broader view is becoming increasingly important as attackers seek opportunities to compromise trusted technologies that can provide access to multiple organizations.

What Recent Ransomware Campaigns Reveal

Recent ransomware campaigns show that attackers increasingly supplement traditional intrusions by targeting trusted software and service providers that can provide access to many organizations.

One example is the joint CISA, FBI, and MS-ISAC advisory on ransomware actors exploiting unpatched SimpleHelp RMM. According to the advisory, attackers exploited unpatched SimpleHelp servers to gain unauthorized access, steal data, and deploy ransomware. For MSPs and organizations using the software, vulnerable servers created a potential pathway into downstream customer environments.

Another example is the CISA advisory covering the CL0P ransomware group's exploitation of the MOVEit Transfer vulnerability. Rather than compromising organizations one at a time, attackers exploited a widely deployed file transfer application used across many industries. Organizations that depended on the vulnerable software became part of a large-scale supply chain incident.

These campaigns demonstrate that software trusted by many organizations can become an attractive target when vulnerabilities are not addressed quickly.

Three Lessons Every MSP Should Take Away

1. Trusted administrative tools require strong security

Remote management software enables MSPs to efficiently support customers, but it also provides privileged access that attackers seek.

CISA's guidance on protecting against the malicious use of remote monitoring and management software explains that threat actors increasingly abuse legitimate RMM tools after gaining access to an environment because those tools blend into normal administrative activity.

That does not mean RMM platforms are inherently risky. Instead, MSPs should secure them with multifactor authentication, least privilege, comprehensive logging, strong credential management, and continuous monitoring of administrative activity.

2. Known vulnerabilities deserve immediate attention

Many successful ransomware campaigns begin with vulnerabilities that are already publicly known.

The CISA Known Exploited Vulnerabilities Catalog helps organizations prioritize vulnerabilities that have confirmed real-world exploitation. Instead of treating every missing update equally, MSPs can focus remediation efforts on vulnerabilities that attackers are actively using.

The SimpleHelp campaign reinforces this lesson. Unpatched internet-facing systems presented an opportunity for ransomware operators to gain unauthorized access.

An effective patch management process should include:

  • Maintaining accurate asset inventories
  • Monitoring vendor security advisories
  • Prioritizing actively exploited vulnerabilities
  • Testing updates before broad deployment
  • Verifying successful patch installation

3. Preparation matters as much as prevention

No organization can eliminate every cybersecurity risk. The ability to recover quickly often determines the overall business impact of a ransomware incident.

The CISA StopRansomware Guide recommends maintaining offline backups, implementing multifactor authentication, segmenting networks, developing incident response plans, and regularly testing recovery procedures.

The Canadian Centre for Cyber Security's Ransomware Playbook expands on those recommendations by outlining preparation, response, recovery, and communication planning before an incident occurs.

Meanwhile, the Canadian Centre for Cyber Security's Ransomware Threat Outlook 2025 to 2027 notes that ransomware operators continue adapting their tactics to maximize operational disruption and financial impact, making long-term resilience an essential part of any security strategy.

Vendor Risk Management Should Be Continuous

Software vendors represent only one part of an MSP's supply chain.

The National Cyber Security Centre's Supply Chain Guidance recommends understanding supplier relationships, evaluating security expectations, and maintaining oversight throughout the partnership. Its guidance on Mapping Your Supply Chain encourages organizations to identify critical suppliers and understand how disruptions could affect operations.

For MSPs, vendor reviews should include providers such as:

  • RMM platforms
  • Remote access software
  • Backup and disaster recovery solutions
  • Identity providers
  • Cloud service providers
  • Documentation platforms
  • Automation tools
  • Security software vendors

The Australian Signals Directorate's guidance on Managing Cyber Supply Chains recommends continuously monitoring supplier risk rather than limiting reviews to procurement. Its guidance on Procurement and Outsourcing also emphasizes establishing cybersecurity expectations before vendors receive access to systems or sensitive information.

Similarly, ENISA's Good Practices for Supply Chain Cybersecurity recommends integrating governance, supplier oversight, monitoring, and incident management throughout the vendor lifecycle.

Where an RMM Platform Fits Into Supply Chain Security

Technology alone cannot prevent supply chain attacks, but it can improve visibility and help MSPs respond more efficiently.

When security agencies identify actively exploited vulnerabilities, MSPs need to know which customer devices may be affected and whether critical updates have been successfully deployed. An RMM platform provides centralized visibility into managed endpoints, helping technicians monitor patch status, automate routine maintenance, and verify that systems remain operational.

For example, when new vulnerabilities are added to CISA's Known Exploited Vulnerabilities Catalog, MSPs can use their management platform to prioritize affected devices and confirm remediation efforts across customer environments.

Level supports these operational workflows by helping MSPs monitor managed endpoints, automate patch deployment, streamline routine administration, and maintain visibility across distributed IT environments. While no RMM platform can eliminate supply chain risk by itself, centralized endpoint management can support broader security practices that reduce operational risk.

Building a More Resilient MSP

Recent ransomware campaigns reinforce an important reality: attackers increasingly look for opportunities to exploit trusted relationships instead of targeting every organization individually.

Reducing that risk requires more than choosing reputable vendors. MSPs should continuously evaluate suppliers, prioritize vulnerabilities that attackers are actively exploiting, secure administrative tools, and regularly test incident response and recovery plans.

Technology plays an important supporting role in that strategy. Platforms like Level help MSPs maintain visibility across customer environments, automate operational tasks, and simplify endpoint management, allowing technicians to respond more efficiently as new risks emerge. Combined with strong governance and proven cybersecurity practices, these capabilities can help MSPs build a more resilient supply chain.

Frequently Asked Questions

Why do ransomware groups target MSPs?

MSPs often manage multiple customer environments using centralized administrative platforms. Compromising an MSP or one of its trusted tools can provide attackers with opportunities to access numerous organizations.

Is an RMM platform a security tool?

An RMM platform is primarily a management and automation solution. While it improves visibility, patch management, and operational efficiency, it should complement, not replace, dedicated security technologies and cybersecurity best practices.

What is supply chain security?

Supply chain security focuses on managing cybersecurity risks introduced by software vendors, service providers, cloud platforms, hardware suppliers, and other trusted third parties that support an organization's operations.

How often should MSPs review vendors?

Vendor risk management should be an ongoing process. Government guidance recommends continuously monitoring supplier relationships, reviewing security practices, and reassessing risk as technologies, threats, and business relationships evolve.

Level: Simplify IT Management

At Level, we understand the modern challenges faced by IT professionals. That's why we've crafted a robust, browser-based Remote Monitoring and Management (RMM) platform that's as flexible as it is secure. Whether your team operates on Windows, Mac, or Linux, Level equips you with the tools to manage, monitor, and control your company's devices seamlessly from anywhere.

Ready to revolutionize how your IT team works? Experience the power of managing a thousand devices as effortlessly as one. Start with Level today—sign up for a free trial or book a demo to see Level in action.