Managed service providers (MSPs) have been warned to remain vigilant amidst an uptick in attacks by the Akira and Lynx ransomware groups.
Analysis from Acronis shows both groups have upped their game in recent months with improvements to the Ransomware as a Service (RaaS) strategies.
The two groups share a RaaS model and double extortion tactics. Lynx, for example, is believed to incorporate elements of the leaked LockBit source code, while Akira shares similarities with Conti, suggesting a shared codebase heritage.
Both groups compromise systems through the use of stolen credentials, VPN vulnerabilities, reconnaissance, privilege escalation, defense evasion, and data exfiltration and encryption, according to Acronis.
They tend to target small and medium-sized businesses, disabling security software, deleting shadow copies, and clearing event logs to avoid detection and hinder recovery.
Now, researchers at the Acronis Threat Research Unit (TRU) have warned the duo appear to be focusing much of their attention on MSPs.
What you need to know about Akira and Lynx
Akira has attacked more than 220 victims, including MSPs Hitachi Vantara and Toppan Next Tech, as well as many other small businesses such as law firms, accounting firms, and construction companies.
Last year, the group was mostly targeting user VPNs by exploiting various vulnerabilities, including SonicWall Firewall CVE-2024-40766, which allowed attackers to disable firewalls and perform connections to infrastructure.
This year, Akira operators have been observed using stolen or purchased admin credentials to attempt to gain access to machines and servers.
If this works, they disable security software; when it doesn't, they launch remote exfiltration and then encryption using legitimate tools that are often whitelisted and not scanned or monitored.
After obtaining access, attackers performed additional information gathering, lateral movement and detonation of the encryptor.
Lynx, meanwhile, has hit around 145 victims, again mostly small businesses. First spotted in mid 2024, Lynx shares many similarities with INC ransomware.
Working as a RaaS group, Acronis said Lynx threat actors constantly search for affiliates, posting on Russian underground forums and searching for new affiliates.
"While not all victims are MSPs, these gangs don’t discriminate when it comes to targets. They’re ready to strike any organization that promises a decent payout," said Acronis.
"That said, MSPs stand out as prime targets for cyber criminals because they provide access to a network of other customers, amplifying the potential reward."
Lynx typically uses phishing emails to deliver its malware to victims, after which the attackers gather system and infrastructure information, attempt to obtain user credentials, and perform lateral movement to infect more computers in the network.
Recent attacks show that if security software is found, Lynx will try to uninstall it, first exfiltrating files to their servers and detonating the encryptor.
Dray Agha, senior manager of security operations at Huntress, said enterprises of all sizes should be wary of both groups due to their high level of technical proficiency.
"Ransomware groups like Akira and Lynx are relentlessly refining their attacks, specifically targeting the resource-constrained SMB sector with increasingly efficient, recycled tactics like credential theft and various attacks against VPNs," Agha commented.
"The findings underscore the critical need for all businesses, especially SMBs and MSPs, to rigorously enforce fundamental defences," he added.
This includes bolstering multi-factor authentication (MFA), patching of VPNs and "other external-facing systems", as well as "robust, tested backups".
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- Ransomware victims are getting better at haggling with hackers
- The new ransomware groups worrying security researchers in 2025
-
Opportunità dei servizi: perché la partnership con TD SYNNEX ti preparerà per un successo sostenibile a lungo termineCon la costante crescita del mercato dei servizi IT, i rivenditori si trovano di fronte a un'opportunità unica di evolversi oltre le tradizionali vendite di hardware e software…
-
De mogelijkheden van services Waarom een partnerschap met TD SYNNEX je voorbereidt op duurzaam succes
Naarmate de markt voor IT-diensten groeit, krijgen resellers een ongekende kans om verder te evolueren dan de traditionele verkoop van hardware en software …
-
How the channel weakened ransomware’s gripIndustry Insights What tools and techniques are empowering businesses to say no to ransomware demands?
-
When cyber professionals go rogue: A former ‘ransomware negotiator’ has been charged amid claims they attacked and extorted businessesNews The attackers are alleged to have demanded ransoms of up to $10 million
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
US telco confirms hackers breached systems in stealthy state-backed cyber campaign – and remained undetected for nearly a yearNews The hackers remained undetected in the Ribbon Communications’ systems for months
-
Google says reports of a 'huge' Gmail breach affecting millions of users are false, againNews Reports of a major Gmail affecting millions of users have been flooding the web this week – Google says they're "false" and you've nothing to worry about.
-
Enterprises can’t keep a lid on surging cyber incident costsNews With increasing threats and continuing skills shortages, AI tools are becoming a necessity for some
-
Cyber researchers have already identified several big security vulnerabilities on OpenAI’s Atlas browserNews Security researchers have uncovered a Cross-Site Request Forgery (CSRF) attack and a prompt injection technique
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
