Akira and Lynx Ransomware Target MSPs Using Stolen Credentials and Exploited Vulnerabilities

The Acronis Threat Research Unit (TRU) dissected recent samples from the Akira and Lynx ransomware families, revealing incremental enhancements in their ransomware-as-a-service (RaaS) models and double-extortion strategies.

Both groups leverage stolen credentials, VPN vulnerabilities, reconnaissance, privilege escalation, defense evasion, and data exfiltration to infiltrate systems, primarily targeting small and medium-sized businesses (SMBs) with recycled yet sophisticated techniques.

Akira, which emerged in 2022 and surged into the top 10 ransomware operators by 2023 with 174 attacks, continued its momentum into 2024 with 315 known victims and persists in 2025.

Its codebase exhibits striking similarities to the leaked Conti source code, potentially indicating a rebranding or adaptation by former Wizard Spider affiliates.

Lynx, appearing in mid-2024, mirrors elements of the INC ransomware analyzed by TRU in 2023 and incorporates suspected LockBit code influences, suggesting a shared heritage through underground forum acquisitions.

These actors disable security software, purge shadow copies via WMI and PowerShell commands, and clear event logs to evade detection and complicate recovery.

A notable quirk in Lynx samples is their ability to print ransom notes directly on connected printers, adding a physical dimension to their extortion tactics.

Evolving Threat with Conti Roots

Akira’s delivery methods have evolved: initially relying on phishing and exploits like Cisco CVE-2023-20269, it shifted in 2024 to targeting VPNs via flaws such as SonicWall Firewall CVE-2024-40766, enabling firewall bypasses.

By 2025, operators favor stolen or purchased admin credentials for initial access, followed by disabling defenses and using whitelisted tools for remote exfiltration and encryption.

The analyzed 64-bit PE file, compiled in C/C++ with Visual Studio tools and first seen in late 2024, initiates from WinMain, logs timestamps, and processes command-line arguments like –encryption-path, –share-file, and –encryption-percent to customize attacks.

It enumerates local processes via WTSEnumerateProcesses, decrypts PowerShell scripts to delete shadow copies using CoSetProxyBlanket for authentication, and employs COM/WMI interfaces from fastprox.dll and wbemprox.dll for privilege control.

Encryption threads scale with CPU cores, skipping network drives if -localonly is set and excluding folders like $Recycle.Bin or extensions such as .dll and .exe.

Files are encrypted with ChaCha20, partial if specified, appending RSA-encrypted keys; blocked files trigger Restart Manager to terminate interfering processes, excluding the malware’s PID.

High-Volume Attacks on Private Sectors

Lynx, with around 145 victims, adopts a high-volume strategy focused on private businesses, including a reported hit on a Chattanooga CBS affiliate.

It operates as RaaS, recruiting affiliates via Russian forums with promises of Windows/Linux builders, data storage, and leak site access.

Delivery often starts with phishing, escalating to credential theft, lateral movement, and vulnerability exploitation. In 2025, it uninstalls detected security software before exfiltrating data and deploying the encryptor.

According to the report, The 32-bit PE sample supports arguments like –dir, –kill, and –verbose for verbose output, mounting hidden drives with SetVolumeMountPointW and terminating processes/services (e.g., sql, veeam) via snapshots or Restart Manager.

It resizes shadow copies to force deletion using DeviceIoControl with IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE, then spawns threads (quadruple the CPU count) for file iteration, skipping zero-sized files or excluded names/extensions.

Encryption employs AES-CTR-128 with Curve25519-Donna for key generation, hashing via SHA512, and XOR-based streams; it appends .LYNX extensions, writes Base64-decoded ransom notes with hardcoded victim IDs, and even sends them to printers via Winspool APIs while setting desktop wallpapers.

Both families underscore MSPs as lucrative targets, evidenced by Akira’s attacks on Hitachi Vantara and Toppan Next Tech due to their access to client networks, amplifying extortion potential.

Akira’s ransom deadlines vary, with data leaks observed within five days, while Lynx emphasizes nondisclosure alongside decryption. Detection by advanced security like Acronis highlights the need for robust credential management and vulnerability patching.

Indicators of Compromise (IoCs)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free