Ransomware assaults intensify among MSPs: Two notorious groups increasing attacks and boasting numerous victims
In recent times, the Akira and Lynx ransomware groups have been increasingly active, targeting businesses and Managed Service Providers (MSPs) with sophisticated tactics.
These groups have been exploiting vulnerabilities in widely used VPN and firewall systems, such as SonicWall SMA100 and Cisco, to gain access to target networks. They also leverage stolen or purchased administrative credentials for access and disable security defenses.
The ransomware groups employ a double extortion approach, archiving and exfiltrating victim files before encrypting data to pressure victims. They use publicly available tools for reconnaissance, credential harvesting, and lateral movement within networks. To hinder detection and recovery, they delete shadow copies and clear event logs.
MSPs are particularly attractive targets for these groups. With their privileged access to multiple client networks, MSPs provide high-value gateways for ransomware groups to scale attacks across numerous organizations simultaneously. Attackers can exploit critical IT, cloud, and network management services provided by MSPs to gain widespread access and disrupt multiple dependent businesses.
Lynx, one of the ransomware groups, has attacked around 145 victims, primarily small businesses. It operates as a Ransomware as a Service (RaaS) group and shares similarities with INC ransomware. Lynx typically uses phishing emails to deliver malware to victims.
Akira, on the other hand, has attacked over 220 victims, including Hitachi Vantara, Toppan Next Tech, and many small businesses like law firms, accounting firms, and construction companies. Last year, Akira primarily targeted user VPNs by exploiting vulnerabilities, such as SonicWall Firewall CVE-2024-40766.
Dray Agha, senior manager of security operations at Huntress, recommends enterprises of all sizes to be wary of both Akira and Lynx due to their high level of technical proficiency. Agha suggests rigorously enforcing fundamental defenses, such as bolstering multi-factor authentication (MFA), patching of VPNs and "other external-facing systems", and maintaining robust, tested backups.
Both ransomware groups use a Ransomware as a Service (RaaS) strategy. They compromise systems through stolen credentials, VPN vulnerabilities, reconnaissance, privilege escalation, defense evasion, data exfiltration, and encryption. Akira and Lynx employ double extortion tactics, with Akira incorporating elements of the leaked LockBit source code and Akira sharing similarities with Conti.
If they gain access, Akira disables security software; if not, they perform remote exfiltration and then encryption using legitimate tools. Lynx, after gaining access, attempts to obtain user credentials and perform lateral movement to infect more computers in the network.
In summary, Akira and Lynx ransomware groups have advanced their tactics by exploiting vulnerabilities in widely used VPN and firewall systems, leveraging stolen credentials, and applying sophisticated evasion and double extortion methods. MSPs are attractive targets because compromising them enables widespread access to multiple organizations, amplifying the ransomware groups’ reach and financial gain.
Read also:
- Senators pressure nominated leader of CISA on election security concerns, focus of agency highlighted
- Osteoporosis: Factors Influencing Risk, Identification Methods, and Medical Interventions
- Collaboration Between Telesign and PCI Pal to Bolster Contact Centers' Anti-Fraud Efforts
- Unauthorized Intrusion: Chinese Cybercriminals Capitalize on Prevalent smartphone Weaknesses
