Two advanced ransomware operations have surfaced as major threats to managed service providers (MSPs) and small enterprises, with the Akira and Lynx groups employing sophisticated attack methods that merge stolen credentials with vulnerability exploitation.
These ransomware-as-a-service (RaaS) operations have collectively breached over 365 entities, showcasing their capability in targeting high-value infrastructure providers that cater to numerous clients.
The Akira ransomware collective has exhibited notable persistence since its inception in 2022, transitioning from a relatively obscure menace to one of the leading 10 ransomware operations by 2023.
.webp)
With more than 220 verified victims, Akira has systematically targeted legal firms, accounting practices, construction businesses, and notably, managed service providers including Hitachi Vantara and Toppan Next Tech.
The group’s emphasis on MSPs shows a strategic pivot aimed at amplifying impact, as infiltrating these providers provides access to vast client networks and enhances potential ransom earnings.
Conversely, the Lynx ransomware collective has impacted roughly 145 victims through a high-volume assault strategy largely tailored toward private enterprises.
.webp)
Acronis researchers discovered that Lynx probably integrates aspects from the leaked LockBit source code and shares resemblances with the INC ransomware family, indicating a complex network of code interchange and progression within the ransomware landscape.
Noteworthy victims include a CBS affiliated television station in Chattanooga, Tennessee, underscoring the group’s readiness to target crucial infrastructure and media institutions.
Both ransomware families utilize intricate double extortion strategies, intertwining file encryption with data theft to coerce victims into paying ransoms.
The groups bear technical similarities to the infamous Conti ransomware, which was connected to the Russian Wizard Spider threat collective prior to its disbandment following a major data leak in 2022.
This association implies possible code reutilization or recruitment of former Conti operators into these emerging operations.
Advanced Infection and Evasion Mechanisms
The 2025 assault campaigns indicate substantial evolution in both groups’ technical prowess and operational methodologies.
Akira operators have transitioned their primary attack vector from conventional phishing and vulnerability exploitation to utilizing stolen or acquired administrative credentials.
Upon successful credential-based entry, attackers immediately neutralize security software to ensure persistence.
However, if credential-based access is unsuccessful, the group employs a sophisticated fallback strategy involving remote data exfiltration followed by encryption utilizing sanctioned, whitelisted tools that typically bypass security monitoring.
The technical evaluation reveals that Akira launches PE64 executables written in C/C++ and compiled using Visual Studio Build tools.
The malware employs ChaCha20 encryption alongside RSA key protection, safeguarding the ChaCha20 key in a 512-byte buffer encrypted with RSA.
The ransomware establishes multiple threads based on CPU core count, with encryption threads directly corresponding to available processors.
For instance, systems equipped with six logical processors initiate two folder parser threads while allocating four threads specifically for file encryption tasks.
Lynx exhibits an equally sophisticated technical implementation through its PE32 C/C++ executable that accommodates extensive command-line arguments for operational flexibility.
The malware encompasses functionalities such as --encrypt-network for targeting shared networks, --kill for terminating processes and services, and notably --no-print to avert ransom note printing on connected printers.
The encryption method utilizes AES with ECC public key generation, employing a Base64-encoded public key: 8SPEMzUSI5vf/cJjobbBepBaX7XT6QT1J8MnZ+IEG3g=.
Both ransomware families implement thorough defense evasion strategies, including shadow copy deletion through undocumented Windows APIs and targeted process termination focusing on backup software, databases, and security applications.
The malware specifically ends processes associated with SQL, Veeam, backup systems, and Exchange servers to secure successful file encryption without interference from active applications or backup routines.