Managed service providers (MSPs) have been warned to remain vigilant amidst an uptick in attacks by the Akira and Lynx ransomware groups.
Analysis from Acronis shows both groups have upped their game in recent months with improvements to the Ransomware as a Service (RaaS) strategies.
The two groups share a RaaS model and double extortion tactics. Lynx, for example, is believed to incorporate elements of the leaked LockBit source code, while Akira shares similarities with Conti, suggesting a shared codebase heritage.
Both groups compromise systems through the use of stolen credentials, VPN vulnerabilities, reconnaissance, privilege escalation, defense evasion, and data exfiltration and encryption, according to Acronis.
They tend to target small and medium-sized businesses, disabling security software, deleting shadow copies, and clearing event logs to avoid detection and hinder recovery.
Now, researchers at the Acronis Threat Research Unit (TRU) have warned the duo appear to be focusing much of their attention on MSPs.
What you need to know about Akira and Lynx
Akira has attacked more than 220 victims, including MSPs Hitachi Vantara and Toppan Next Tech, as well as many other small businesses such as law firms, accounting firms, and construction companies.
Last year, the group was mostly targeting user VPNs by exploiting various vulnerabilities, including SonicWall Firewall CVE-2024-40766, which allowed attackers to disable firewalls and perform connections to infrastructure.
This year, Akira operators have been observed using stolen or purchased admin credentials to attempt to gain access to machines and servers.
If this works, they disable security software; when it doesn't, they launch remote exfiltration and then encryption using legitimate tools that are often whitelisted and not scanned or monitored.
After obtaining access, attackers performed additional information gathering, lateral movement and detonation of the encryptor.
Lynx, meanwhile, has hit around 145 victims, again mostly small businesses. First spotted in mid 2024, Lynx shares many similarities with INC ransomware.
Working as a RaaS group, Acronis said Lynx threat actors constantly search for affiliates, posting on Russian underground forums and searching for new affiliates.
"While not all victims are MSPs, these gangs don’t discriminate when it comes to targets. They’re ready to strike any organization that promises a decent payout," said Acronis.
"That said, MSPs stand out as prime targets for cyber criminals because they provide access to a network of other customers, amplifying the potential reward."
Lynx typically uses phishing emails to deliver its malware to victims, after which the attackers gather system and infrastructure information, attempt to obtain user credentials, and perform lateral movement to infect more computers in the network.
Recent attacks show that if security software is found, Lynx will try to uninstall it, first exfiltrating files to their servers and detonating the encryptor.
Dray Agha, senior manager of security operations at Huntress, said enterprises of all sizes should be wary of both groups due to their high level of technical proficiency.
"Ransomware groups like Akira and Lynx are relentlessly refining their attacks, specifically targeting the resource-constrained SMB sector with increasingly efficient, recycled tactics like credential theft and various attacks against VPNs," Agha commented.
"The findings underscore the critical need for all businesses, especially SMBs and MSPs, to rigorously enforce fundamental defences," he added.
This includes bolstering multi-factor authentication (MFA), patching of VPNs and "other external-facing systems", as well as "robust, tested backups".
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- Ransomware victims are getting better at haggling with hackers
- The new ransomware groups worrying security researchers in 2025
-
The UK’s ‘chronic shortage of cyber professionals’ is putting the country at riskNews While high-profile attacks grab headlines, a security researcher warns the UK's "chronic shortage of cyber professionals" is left unaddressed by government, industry, and academia.
-
What Thomas Dohmke’s departure means for GitHubNews Thomas Dohmke won't be replaced as CEO at GitHub, with remaining company execs reporting directly to Microsoft's CoreAI division.
-
The UK’s ‘chronic shortage of cyber professionals’ is putting the country at risk
News While high-profile attacks grab headlines, a security researcher warns the UK's "chronic shortage of cyber professionals" is left unaddressed by government, industry, and academia.
-
Credential theft has surged 160% in 2025News AI-powered phishing and the growth of Malware as a Service means hackers are compromising more accounts than ever
-
US federal judiciary agency hit by 'escalated cyber attacks' which exposed highly sensitive dataNews The agency says it plans to step up cybersecurity capabilities in the wake of the incident
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
Millions of Dell laptops are are at risk thanks to a Broadcom chip vulnerability – and more than 100 device models are impactedNews Widely used in high-security environments, the PCs are vulnerable to attacks allowing the theft of sensitive data
-
Cybersecurity teams are wasting time, money, and effort dealing with tool sprawl and ‘multi-vendor ecosystems’News Tool sprawl is a problem that just won't go away for security teams
-
Cybersecurity complexity and the channelIndustry Insights Channel partners must tackle cybersecurity complexity to drive outcomes and build trust
