Akira and Lynx ransomware are targeting Managed Service Providers (MSPs) by exploiting stolen login credentials and existing vulnerabilities.

Two sophisticated ransomware operations, Akira and Lynx, have emerged as significant threats to Managed Service Providers (MSPs) and small businesses. These ransomware-as-a-service (RaaS) groups have collectively compromised over 365 organisations, showcasing their effectiveness in targeting high-value infrastructure providers that serve multiple clients. Since its emergence in 2022, the Akira ransomware group has evolved into one of the top 10 ransomware operations by 2023, with over 220 confirmed victims. Akira has systematically targeted law firms, accounting firms, construction companies, and notably, MSPs such as Hitachi Vantara and Toppan Next Tech. This strategic focus on MSPs allows Akira to maximise impact by gaining access to extensive client networks, thereby amplifying potential ransom payouts. In contrast, the Lynx ransomware operation has struck approximately 145 victims, primarily focusing on private businesses through a high-volume attack strategy.

Both ransomware families employ sophisticated double extortion tactics, combining file encryption with data theft to pressure victims into paying ransoms. Acronis researchers have identified that Lynx likely incorporates elements from the leaked LockBit source code and shares similarities with the INC ransomware family, indicating a complex web of code sharing within the ransomware ecosystem. Notable victims of Lynx include a CBS affiliate television station in Chattanooga, Tennessee, underscoring the group’s willingness to target critical infrastructure and media organisations. Both Akira and Lynx share technical similarities with the notorious Conti ransomware, previously linked to the Russian Wizard Spider threat group. The 2025 attack campaigns reveal significant evolution in both groups’ technical capabilities, with Akira shifting its primary attack vector to leveraging stolen or purchased administrative credentials. When successful, attackers disable security software to establish persistence, while employing sophisticated fallback strategies when credential-based access fails.