TAMPA, Fla., March 05, 2026 (GLOBE NEWSWIRE) -- ConnectWise today announced the release of its 2026 MSP Threat Report, delivering global threat intelligence and actionable guidance for Managed Service Providers (MSPs) navigating one of the most complex cybersecurity landscapes to date. The report details the most significant threats observed throughout 2025 and reflects ConnectWise’s continued evolution in helping customers secure and strengthen their businesses as identity, access and trust relationships become the primary battleground in modern cyberattacks.

Drawing from real-world incident response investigations, ConnectWise customer telemetry, ransomware leak site monitoring and malicious infrastructure tracking, the 2026 report reveals a decisive shift in attacker strategy: adversaries are no longer relying primarily on novel exploits. Instead, they are exploiting trusted identities, legitimate system tools, remote access infrastructure, and software supply chains to gain faster, more scalable access to MSP-managed environments worldwide.

“The defining theme of 2025 was the abuse of trust,” said Patrick Beggs, Chief Information Security Officer at ConnectWise. “Attackers are exploiting valid credentials, misconfigured VPNs, trusted updates, and even user behavior to gain access to systems and data. For MSPs, this means identity security, privileged access governance, and early behavioral detection must be foundational. At ConnectWise, we’re continuously evolving our platform to help customers ensure trust and transparency across the environments they manage.”

Global threat landscape demands platform-level defense

The 2026 MSP Threat Report highlights trends observed across North America, Europe, and Asia-Pacific (APAC), reinforcing that while regional nuances exist, the underlying risks are consistent worldwide.

Ransomware prioritized speed and access reliability – Rather than innovating encryption techniques, ransomware operators refined how they gained access. Groups such as Akira demonstrated rapid “scan, steal, encrypt” lifecycles, often targeting backup infrastructure early to prevent recovery. Attackers also bypassed OTP-based multi-factor authentication (MFA) by exploiting inherited VPN configuration artifacts or retained appliance secrets.





Key regional ransomware trends include:

In North America , ransomware operators prioritized speed and early backup disruption in midsized business environments.

, ransomware operators prioritized speed and early backup disruption in midsized business environments. Europe an manufacturing and supply chain ecosystems saw increased targeting through credential and remote access abuse.

manufacturing and supply chain ecosystems saw increased targeting through credential and remote access abuse. Growing SMB markets in APAC experienced expanding exposure of perimeter infrastructure and credential-stuffing campaigns.

VPN infrastructure became a consistent entry point – Publicly exposed SSL VPN interfaces were repeatedly targeted through credential stuffing, inherited secrets and critical vulnerabilities affecting major vendors. In multiple cases, organizations experienced full domain compromise within hours of successful VPN authentication.

Software supply chain compromise expanded downstream risk – Supply chain attacks intensified in both scale and automation. Campaigns such as “Shai-Hulud” compromised npm maintainer accounts and propagated trojanized updates across thousands of downstream environments. Other ecosystems, such as PyPI, NuGet, RubyGems, and Rust, faced phishing and malicious package injection campaigns that turned routine dependency updates into execution paths.

– Supply chain attacks intensified in both scale and automation. Campaigns such as “Shai-Hulud” compromised npm maintainer accounts and propagated trojanized updates across thousands of downstream environments. Other ecosystems, such as PyPI, NuGet, RubyGems, and Rust, faced phishing and malicious package injection campaigns that turned routine dependency updates into execution paths. ClickFix and user-mediated execution matured – ClickFix-style social engineering attacks, in which users are manipulated into copying and pasting malicious commands into legitimate utilities, emerged as a repeatable and adaptable intrusion method. The tactic bypasses traditional defenses by shifting execution responsibility to the user.

AI increased attacker scale and realism – Although AI’s direct artifacts are often invisible in forensic telemetry, its impact was evident through increases in deepfake-enabled fraud, LLM-generated phishing campaigns, AI-assisted malware development, and automation that lowered barriers to entry for threat actors globally. Rather than creating new attack categories, AI made established tactics faster, more scalable and more convincing.





ConnectWise: Evolving with the threat landscape

The 2026 MSP Threat Report underscores a critical reality: reactive security models are no longer sufficient. Defenders must move earlier in the attack lifecycle, focusing on identity, privilege, execution context, and resilience.

ConnectWise is addressing this shift by continuing to strengthen and integrate cybersecurity and data protection capabilities across the ConnectWise Platform, including:

Privileged Access Management (PAM) to enforce least-privilege and reduce blast radius from credential compromise.

to enforce least-privilege and reduce blast radius from credential compromise. Managed Endpoint Detection and Response (Managed EDR) to provide continuous, behavior-based monitoring and rapid containment.

to provide continuous, behavior-based monitoring and rapid containment. Security Information and Event Management (SIEM) to correlate identity, endpoint and network telemetry across multi-tenant environments.

to correlate identity, endpoint and network telemetry across multi-tenant environments. Business Continuity and Disaster Recovery (BCDR) with immutable backup capabilities designed to resist tampering—even in ransomware scenarios.

The 2026 MSP Threat report is made possible by the ConnectWise Cyber Research Unit™ (CRU), an elite team of threat hunters and cybersecurity professionals who gather intelligence 24/7 from real-world incidents, customer environments, ransomware leak sites and malicious infrastructure monitoring. The full report is available for download at this link .



