The Acronis Threat Research Unit (TRU) has identified Managed Service Providers (MSPs) as key targets in 2025 ransomware campaigns by Akira and Lynx, two increasingly aggressive ransomware-as-a-service (RaaS) groups employing double extortion tactics.
Both families exploit VPN vulnerabilities, stolen credentials, and use recycled code—with Akira showing ties to Conti and Lynx leveraging leaked LockBit code. Their attacks involve disabling security tools, deleting shadow copies, and clearing logs to evade detection.
Akira, active since 2022, escalated its activity to over 300 known attacks in 2024, primarily targeting small firms and MSPs, including Hitachi Vantara and Toppan Next Tech. In 2025, it shifted to exploiting admin credentials and legitimate tools to exfiltrate and encrypt data.
Lynx has hit at least 145 organizations, including a CBS affiliate, and has a quirky trait: its malware can print ransom notes directly on victims’ printers.
The use of advanced persistence, lateral movement, and data theft techniques, combined with access to MSP environments, makes these actors particularly dangerous—one compromised MSP could mean dozens of breached clients.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
