The Acronis Threat Research Unit (TRU) has identified escalating threats from Akira and Lynx ransomware groups, which have collectively compromised over 365 organizations while specifically targeting managed service providers (MSPs) to amplify their attack reach.
Both groups employ sophisticated double extortion tactics and ransomware-as-a-service (RaaS) models, with recent analysis revealing their evolution from the leaked source code of notorious predecessors.
Credential Theft and VPN Exploitation Drive Initial Access
Akira ransomware, which attacked over 220 victims, including law firms and construction companies, has significantly evolved its attack methodology since emerging in 2022.
Initially relying on phishing campaigns and vulnerabilities like Cisco CVE-2023-20269, the group shifted focus in 2024 to exploit VPN vulnerabilities, particularly SonicWall Firewall CVE-2024-40766, allowing attackers to disable security perimeters and establish persistent access.
In 2025, TRU researchers observed Akira operators increasingly leveraging stolen or purchased administrative credentials as their primary attack vector.
When credential-based access succeeds, attackers immediately disable security software before proceeding with data exfiltration and encryption using legitimate, whitelisted tools that evade detection.
Lynx ransomware, responsible for approximately 145 attacks, employs similar tactics but maintains a higher volume approach targeting small businesses.
The group’s recruitment efforts on Russian underground forums indicate active expansion of affiliate networks, with operators claiming exclusive focus on private sector organizations.
Technical Evolution Rooted in Leaked Source Code
Analysis reveals that both ransomware families incorporate elements from previously leaked source code repositories.
Akira demonstrates significant similarities to Conti ransomware, which was linked to the dissolved Wizard Spider threat group following a 2022 data breach that exposed source code and internal communications.
Whether Akira represents a Wizard Spider rebrand or new operators utilizing leaked code remains unclear.
Lynx exhibits strong code similarities to INC ransomware, likely stemming from underground forum sales of INC builders advertised for 300,000 rubles each in April 2024.
The posting described functionality matching analyzed Lynx samples, suggesting direct source code acquisition and modification.
Sophisticated Defense Evasion and Unique Capabilities
Both groups employ advanced techniques to evade detection and hinder recovery efforts. Their malware systematically disables security software, deletes shadow copies using PowerShell commands, and clears event logs to eliminate forensic evidence.
The ransomware utilizes strong encryption methods. Akira employs ChaCha20 with RSA-protected keys, while Lynx uses AES encryption with ECC key generation.
Lynx demonstrates particularly novel capabilities, including the ability to print ransom notes directly to a connected printer, a psychological pressure tactic that sets it apart from traditional ransomware families.
Both groups maintain sophisticated infrastructure with multiple Tor-based communication channels for victim negotiations and data leak operations, reinforcing their commitment to sustained criminal enterprises targeting critical business infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
_imresizer.jpg?resize=1068,580&ssl=1&description=Exploiting MSPs - The Acronis Threat Research Unit (TRU) has identified escalating threats from Akira and Lynx ransomware groups){kind=link}