MSPs beware – these two ransomware groups are ramping up attacks and have claimed hundreds of victims

Ransomware concept image showing computer screen with binary code, with a skull imprinted over code.

(Image credit: Getty Images)

Managed service providers (MSPs) have been warned to remain vigilant amidst an uptick in attacks by the Akira and Lynx ransomware groups.

Analysis from Acronis shows both groups have upped their game in recent months with improvements to the Ransomware as a Service (RaaS) strategies.

The two groups share a RaaS model and double extortion tactics. Lynx, for example, is believed to incorporate elements of the leaked LockBit source code, while Akira shares similarities with Conti, suggesting a shared codebase heritage.

Both groups compromise systems through the use of stolen credentials, VPN vulnerabilities, reconnaissance, privilege escalation, defense evasion, and data exfiltration and encryption, according to Acronis.

They tend to target small and medium-sized businesses, disabling security software, deleting shadow copies, and clearing event logs to avoid detection and hinder recovery.

Now, researchers at the Acronis Threat Research Unit (TRU) have warned the duo appear to be focusing much of their attention on MSPs.

What you need to know about Akira and Lynx

Akira has attacked more than 220 victims, including MSPs Hitachi Vantara and Toppan Next Tech, as well as many other small businesses such as law firms, accounting firms, and construction companies.

Last year, the group was mostly targeting user VPNs by exploiting various vulnerabilities, including SonicWall Firewall CVE-2024-40766, which allowed attackers to disable firewalls and perform connections to infrastructure.

This year, Akira operators have been observed using stolen or purchased admin credentials to attempt to gain access to machines and servers.

If this works, they disable security software; when it doesn't, they launch remote exfiltration and then encryption using legitimate tools that are often whitelisted and not scanned or monitored.

After obtaining access, attackers performed additional information gathering, lateral movement and detonation of the encryptor.

Lynx, meanwhile, has hit around 145 victims, again mostly small businesses. First spotted in mid 2024, Lynx shares many similarities with INC ransomware.

Working as a RaaS group, Acronis said Lynx threat actors constantly search for affiliates, posting on Russian underground forums and searching for new affiliates.

"While not all victims are MSPs, these gangs don’t discriminate when it comes to targets. They’re ready to strike any organization that promises a decent payout," said Acronis.

"That said, MSPs stand out as prime targets for cyber criminals because they provide access to a network of other customers, amplifying the potential reward."

Lynx typically uses phishing emails to deliver its malware to victims, after which the attackers gather system and infrastructure information, attempt to obtain user credentials, and perform lateral movement to infect more computers in the network.

Recent attacks show that if security software is found, Lynx will try to uninstall it, first exfiltrating files to their servers and detonating the encryptor.

Dray Agha, senior manager of security operations at Huntress, said enterprises of all sizes should be wary of both groups due to their high level of technical proficiency.

"Ransomware groups like Akira and Lynx are relentlessly refining their attacks, specifically targeting the resource-constrained SMB sector with increasingly efficient, recycled tactics like credential theft and various attacks against VPNs," Agha commented.

"The findings underscore the critical need for all businesses, especially SMBs and MSPs, to rigorously enforce fundamental defences," he added.

This includes bolstering multi-factor authentication (MFA), patching of VPNs and "other external-facing systems", as well as "robust, tested backups".

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.