Ransomware assaults escalating: Two destructive groups targeting MSPs, causing havoc for over 300 victims

Increased attacks from cybercriminal collectives Akira and Lynx ransomware pose heightened risks for Managed Service Providers (MSPs). Remain cautious, advised experts.

, and Administrator

2025 August 31 . 4:05 AM

2 min read

Ransomware assaults intensifying: Two malicious groups targeting MSPs and multiple victims reported... — Ransomware assaults intensifying: Two malicious groups targeting MSPs and multiple victims reported so far.

Ransomware assaults escalating: Two destructive groups targeting MSPs, causing havoc for over 300 victims

A pair of notorious ransomware groups, Akira and Lynx, have been observed using a dangerous combination of tactics to infiltrate Managed Service Providers (MSPs) and compromise multiple downstream clients.

MSPs as Prime Targets

MSPs are prime targets for these groups due to the vast network access they offer. Both Akira and Lynx have targeted hundreds of victims, including small and medium-sized businesses such as law firms, accounting firms, construction companies, and even high-profile entities like Hitachi Vantara (Akira) and a CBS affiliate (Lynx).

Ransomware-as-a-Service (RaaS) Model

Both gangs operate under a Ransomware-as-a-Service (RaaS) model, lowering the technical barriers for attackers by providing ready-to-use ransomware toolkits and infrastructure. This allows rapid scaling and high-volume attacks, often carried out by affiliates working under the gang’s umbrella.

Double Extortion Methods

In addition to encrypting data, these groups exfiltrate large volumes of sensitive information (such as contracts, financial info, personal details, and correspondence) before encryption and then threaten to publish this stolen data if ransoms are not paid. For example, Lynx has publicly leaked data from victims including a construction company in Australia and a music school in Hollywood, imposing payment deadlines to pressure victims.

Advanced Evasion and Stealth

Attackers prioritize stealth and persistence, employing reconnaissance, privilege escalation, and defense evasion techniques to remain undetected as long as possible within MSP environments before deploying ransomware. Lynx has been noted to print ransom notes via network printers, an unusual tactic to increase pressure on victims.

Similarities with Previous Ransomware Families

Akira shares similarities with the Conti ransomware family, suggesting a shared codebase heritage. Lynx appears to incorporate leaked LockBit source code elements, evidencing shared ransomware evolution and reuse of proven tactics.

Protecting Against Ransomware Attacks

To protect against ransomware attacks, businesses, especially SMBs and MSPs, should rigorously enforce fundamental defenses such as multi-factor authentication (MFA), patching of VPNs and other external-facing systems, and robust, tested backups.

In summary, Akira and Lynx ransomware groups combine the scalable RaaS model with double extortion tactics, sophisticated but recycled attack vectors, and targeted MSP infiltration to maximize impact and leverage the trusted MSP client relationships for widespread compromise and extortion. Defense measures for MSPs include enforcing multi-factor authentication, patching exposed systems, rigorous access hygiene, and proactive threat detection to reduce the risk of these attacks.