Akira and Lynx Ransomware Attacking Managed Service Providers With Stolen Login Credential and Vulnerabilities

Two sophisticated ransomware operations have emerged as significant threats to managed service providers (MSPs) and small businesses, with the Akira and Lynx groups deploying advanced attack techniques that combine stolen credentials with vulnerability exploitation.

These ransomware-as-a-service (RaaS) operations have collectively compromised over 365 organizations, demonstrating their effectiveness in targeting high-value infrastructure providers that serve multiple clients.

The Akira ransomware group has demonstrated remarkable persistence since its emergence in 2022, evolving from a relatively unknown threat to one of the top 10 ransomware operations by 2023.

With over 220 confirmed victims, Akira has systematically targeted law firms, accounting firms, construction companies, and critically, managed service providers including Hitachi Vantara and Toppan Next Tech.

The group’s focus on MSPs represents a strategic shift toward maximizing impact, as compromising these providers grants access to extensive client networks and amplifies potential ransom payouts.

Meanwhile, the Lynx ransomware operation has struck approximately 145 victims through a high-volume attack strategy primarily focused on private businesses.

Acronis researchers identified that Lynx likely incorporates elements from the leaked LockBit source code and shares similarities with the INC ransomware family, suggesting a complex web of code sharing and evolution within the ransomware ecosystem.

Notable victims include a CBS affiliate television station in Chattanooga, Tennessee, highlighting the group’s willingness to target critical infrastructure and media organizations.

Both ransomware families employ sophisticated double extortion tactics, combining file encryption with data theft to pressure victims into paying ransoms.

The groups share technical similarities with the notorious Conti ransomware, which was linked to the Russian Wizard Spider threat group before its dissolution following a significant data leak in 2022.

This connection suggests possible code reuse or recruitment of former Conti operators into these new operations.

Advanced Infection and Evasion Mechanisms

The 2025 attack campaigns reveal significant evolution in both groups’ technical capabilities and operational procedures.

Akira operators have shifted their primary attack vector from traditional phishing and vulnerability exploitation to leveraging stolen or purchased administrative credentials.

When successful credential-based access is achieved, attackers immediately disable security software to establish persistence.

However, when credential-based access fails, the group employs a sophisticated fallback strategy involving remote data exfiltration followed by encryption using legitimate, whitelisted tools that typically evade security monitoring.

The technical analysis reveals that Akira deploys PE64 executables written in C/C++ and compiled using Visual Studio Build tools.

The malware implements ChaCha20 encryption with RSA key protection, storing the ChaCha20 key in a 512-byte buffer encrypted with RSA.

The ransomware creates multiple threads based on CPU core count, with encryption threads directly correlating to available processors.

For example, systems with six logical processors spawn two folder parser threads while dedicating four threads specifically to file encryption operations.

Lynx demonstrates equally sophisticated technical implementation through its PE32 C/C++ executable that supports extensive command-line arguments for operational flexibility.

The malware includes capabilities such as --encrypt-network for targeting network shares, --kill for process and service termination, and notably --no-print to prevent ransom note printing on connected printers.

The encryption process utilizes AES with ECC public key generation, implementing a Base64-encoded public key: 8SPEMzUSI5vf/cJjobbBepBaX7XT6QT1J8MnZ+IEG3g=.

Both ransomware families implement comprehensive defense evasion techniques, including shadow copy deletion through undocumented Windows APIs and strategic process termination targeting backup software, databases, and security applications.

The malware specifically terminates processes related to SQL, Veeam, backup systems, and Exchange servers to ensure successful file encryption without interference from running applications or backup processes.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial