Warn MSPs: Intensifying activities from two ransomware groups have resulted in numerous attacks and hundreds of victims
In a concerning development, the Akira and Lynx ransomware groups have been stepping up their attacks, with a significant focus on managed service providers (MSPs). These groups are leveraging Ransomware-as-a-Service (RaaS) models combined with double extortion tactics to maximize their impact.
Tactics and Strategies
Both Akira and Lynx employ a range of sophisticated strategies, including stolen administrative credentials, VPN vulnerabilities, reconnaissance, privilege escalation, defense evasion, and data exfiltration prior to encryption.
Acronis analysis suggests that Akira's ransomware shares similarities with Conti, a notable ransomware lineage, while Lynx incorporates leaked LockBit source code, indicating a common ransomware codebase heritage.
Akira has targeted over 220 victims, including small businesses and MSPs like Hitachi Vantara and Toppan Next Tech. On the other hand, Lynx has attacked approximately 145 victims, primarily small businesses.
Once inside a network, both groups take measures to disable security software, delete shadow copies, clear event logs, and in Lynx's case, even print the ransom note on network printers to increase victim pressure.
Double Extortion Method
The double extortion method involves encrypting the victim's files and exfiltrating data. If the ransom is not paid, the attackers threaten to release the stolen data, thereby adding a leverage point beyond encryption alone.
The Impact on MSPs
MSPs manage multiple clients, making them prime targets. A compromise of an MSP's infrastructure offers attackers an expedited path to wider network access and more extensive data for exfiltration, maximizing attack impact.
The RaaS Model
The RaaS model used by both groups allows less technically skilled criminals to deploy highly sophisticated ransomware kits maintained by the core developers, enhancing their scale, speed, and stealth.
Defenses and Recommendations
Researchers warn that Akira and Lynx are focusing much of their attention on MSPs. Dray Agha, senior manager of security operations at Huntress, advises enterprises of all sizes to be wary of both groups due to their high level of technical proficiency.
Agha suggests that businesses, especially SMBs and MSPs, should enforce fundamental defenses such as bolstering multi-factor authentication (MFA), patching of VPNs and "other external-facing systems", and having robust, tested backups.
In summary, the Akira and Lynx ransomware campaigns represent an evolution toward industrialized and highly efficient ransomware operations that prioritize stealth, rapid propagation via MSP networks, and leverage double extortion to increase ransom pressure. Their shared code heritage with major ransomware families and exploitation of MSP trust models make them particularly dangerous in the current threat landscape.
Read also:
- Senators pressure nominated leader of CISA on election security concerns, focus of agency highlighted
- Digital passwords come under pressure as major tech companies move towards strengthened security measures
- Blockaid's security services now integrated into D'CENT Wallet, enhancing Web3's safety measures.
- Osteoporosis: Factors Influencing Risk, Identification Methods, and Medical Interventions
