A new survey reveals 45 per cent of managed service providers (MSPs) are setting aside cash to pay ransomware demands, as fears over AI-fuelled cybercrime continue to mount.
MSPs Under Pressure as Ransomware Attacks Surge
The finding comes from the CyberSmart MSP Survey 2025, which examined the security posture of 900 MSPs across the UK, Europe, Australia, and New Zealand. According to the report, nearly half of those surveyed now maintain a dedicated pot of money in case they are hit by a ransomware attack, a tactic where cybercriminals encrypt a victim’s data and demand a payment for its return.
Counter To Guidance
This approach appears to run counter to guidance from insurers, governments, and law enforcement agencies, which consistently urge organisations not to pay. However, the growing scale and frequency of attacks, often powered by artificial intelligence, appear to be forcing MSPs to adopt a more pragmatic (if controversial) strategy.
“Organisations shouldn’t rely on ransomware payments; rather, they should partner with organisations that can help proactively secure them,” said Jamie Akhtar, CEO and co-founder of CyberSmart.
Be Prepared
The report’s findings highlight a deepening sense of vulnerability among MSPs, many of which provide outsourced IT and cyber-security services to small and medium-sized enterprises (SMEs). With AI-generated phishing emails, malware, and deepfakes becoming increasingly sophisticated, the pressure to be prepared for the worst has never been higher.
More Breaches, More Budgets, More Confusion
CyberSmart’s research revealed that 69 per cent of MSPs had suffered two or more cyber breaches in the last 12 months, while 47 per cent reported being hit three times or more. These incidents are not just one-off events. For example, many are the result of supply chain vulnerabilities, such as the May 2025 breach where the Dragonforce ransomware group exploited a remote monitoring and management (RMM) tool to compromise multiple MSP clients.
Faced with mounting threats, MSPs are reacting in different ways. For example, 36 per cent now rely on cyber insurance as their primary defence, while 11 per cent (worryingly) have neither cyber insurance nor a ransomware fund in place, leaving them financially and operationally exposed if attacked.
Guidance Not Clear
It seems that part of the problem is that official guidance around ransomware payments remains fragmented and unclear. While governments generally discourage paying ransoms, enforcement is inconsistent outside the public sector. “What your business is advised to do will largely depend on where you’re based and who’s advising you,” CyberSmart noted in its commentary.
This has led to a patchwork of interpretations, with some MSPs feeling they have little choice but to maintain a reserve, despite the moral and strategic risks involved.
UK Government Moves to Ban Ransomware Payments for Critical Services
In July 2025, the UK government announced proposals to ban ransomware payments for public sector bodies and operators of critical national infrastructure (CNI). The measures, introduced by the Home Office following a public consultation, would apply to organisations such as hospitals, councils, schools, and water providers, sectors where operational downtime can endanger lives.
“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” said Security Minister Dan Jarvis. “We’re determined to smash the cyber criminal business model and protect the services we all rely on.”
Private Businesses Would Need To Notify Government Before Paying
Under the proposals, private businesses would not be banned outright from paying, but would be required to notify the government before doing so. This would enable authorities to offer advice, check for potential sanctions breaches (such as paying Russian-linked gangs), and gather intelligence to disrupt criminal networks.
Cybercrime’s Business Model Under Scrutiny
The rationale behind the payment ban is to undermine the business model of ransomware gangs, which rely on victims caving in quickly to avoid reputational damage, data leaks, or prolonged disruption. However, experts have warned that banning payments, especially only for certain sectors, may not have the desired effect.
“Ransomware is largely an opportunistic crime, and most cyber criminals are not discerning,” said Jamie MacColl, a senior research fellow at the Royal United Services Institute (RUSI). “They’re unlikely to develop a rigorous understanding of UK legislation or how we designate critical infrastructure.”
Others suggest the ban could increase the stakes for victims. “If the best solution is to just turn around and say to the hackers, ‘We’re not giving in to your demands anymore,’ don’t be surprised if they double down,” said Rob Jardin, chief digital officer at NymVPN.
The British Library, one of the most high-profile public victims of ransomware in recent years, chose not to pay after an attack in October 2023 devastated its systems. “We are committed to sharing our experiences to help protect other institutions and build collective resilience,” said Chief Executive Rebecca Lawrence.
AI Attacks Are Changing the Game
Perhaps the most striking shift in this year’s CyberSmart survey is the rise of artificial intelligence as the top concern for MSPs in 2025. AI overtook ransomware itself, with 44 per cent of respondents citing it as their biggest worry, compared to 40 per cent for traditional malware and ransomware threats.
This change reflects a growing trend in how attackers operate. For example, AI tools are now being used to write convincing phishing emails, build more evasive malware, and even create deepfake audio and video to impersonate executives or support social engineering attacks.
In 2024, 67 per cent of MSPs reported falling victim to AI-enabled attacks, a figure expected to rise in 2025 as generative and agent-based AI tools become more widely available to threat actors.
However, many MSPs feel ill-equipped to counter these evolving threats, with a lack of user-friendly, AI-specific defence tools still a key issue. “MSPs are being asked to do more, with fewer tools at their disposal,” the report concludes.
Customer Expectations Are Rising, But So Is Investment
The research also showed that 84 per cent of MSPs now manage their clients’ cybersecurity infrastructure, or both their cybersecurity and broader IT estate. This shift reflects growing client expectations for MSPs to provide end-to-end protection which are the kind of expectations that often come with greater scrutiny.
According to the CyberSmart research, 77 per cent of MSPs said potential customers are now evaluating their cyber credentials more carefully, especially in the procurement stage.
To meet demand, it seems that MSPs are now investing heavily. For example, 81 per cent have increased spend on hiring security specialists, and 78 per cent have upped budgets for cyber defence tools, training, and client services. Compliance is also high on the agenda, with 60 per cent hiring regulatory specialists and 64 per cent enhancing capabilities to align with frameworks such as NIS2 in the EU and the UK’s upcoming Cyber Security and Resilience Bill.
According to NCSC Director of National Resilience Jonathon Ellison, such steps are critical: “Ransomware remains a serious and evolving threat, and organisations must not become complacent. All businesses should strengthen their defences using proven frameworks such as Cyber Essentials.”
MSPs Prepared Yet Vulnerable
Despite the high rate of breaches, MSPs remain surprisingly confident in their security posture. For example, CyberSmart found that 76 per cent rate their cyber confidence as above average or higher. That said, only 20 per cent described their confidence as complete, suggesting that many know there’s room for improvement.
Looking at this research, for businesses relying on MSPs to manage their security, the message appears to be that while many providers are stepping up their game, others are still reacting to threats in ways that may not align with long-term best practice.
Co-op CEO Shirine Khoury-Haq, who oversaw the retailer’s response to a Scattered Spider ransomware attack, captured the sentiment well, saying: “What matters most is learning, building resilience, and supporting each other to prevent future harm. This is a step in the right direction for building a safer digital future.”
What Does This Mean For Your Organisation?
For MSPs and their clients, the emergence of ransomware funds could be seen as a move from aspirational resilience to operational realism. Despite official advice against paying cybercriminals, it seems that many MSPs clearly believe they cannot afford to be unprepared. With 69 per cent already breached multiple times in a single year and AI accelerating the scale and complexity of attacks, the temptation to hold a contingency reserve is understandable. However, this pragmatic stance may also entrench the very business model that governments and law enforcement are working hard to dismantle.
The UK’s proposed ransomware payment ban for public bodies and CNI highlights just how far official thinking has moved towards systemic deterrence. However, the exclusion of private businesses from that ban, and the option for them to pay under notification, risks creating an uneven response that may ultimately frustrate enforcement and dilute its impact. As Jamie MacColl pointed out, most ransomware gangs operate opportunistically and will not necessarily distinguish between regulated and unregulated targets. This raises questions about whether partial bans can realistically alter attacker behaviour.
For UK businesses, especially SMEs dependent on MSPs for protection, the findings raise difficult questions. For example, while many providers are making serious investments in tools, people, and compliance, others are still relying on reactive strategies that may offer short-term cover but little long-term assurance. The increasing scrutiny on MSPs is likely to intensify, particularly as clients seek partners who are both cyber confident and operationally transparent. Businesses must now evaluate not only whether their MSP has a ransomware plan, but also whether that plan reflects best practice or a compromise born of confusion.
For regulators, the lack of clarity and consistency around ransomware responses remains a core problem. Guidance alone is proving insufficient. A broader and more unified framework, alongside mandatory reporting, may be needed to help ensure MSPs, their clients, and their insurers are working from the same playbook. For now, the reliance on private ransomware funds points to a cyber landscape still dominated by tactical survival rather than strategic coordination.
