MSPs a top target for Akira and Lynx ransomware

MITRE Techniques

• [T1078] Valid Accounts – Used stolen/purchased admin credentials to gain access to machines and servers (“using stolen / purchased admin credentials to attempt to gain access to machines / servers”).
• [T1136] Create Account – Not explicitly mentioned but implied in user credential exploitation and lateral movement.
• [T1041] Exfiltration Over C2 Channel – Attackers exfiltrate victims’ files before encryption as part of double extortion (“Before encrypting files, Akira operators archived and exfiltrated victims files to their servers”).
• [T1105] Ingress Tool Transfer – Use of legitimate tools for remote exfiltration and encryption (“launch remote exfiltration and then encryption using legitimate tools that are often whitelisted”).
• [T1490] Inhibit System Recovery – Deletion of shadow copies and clearing event logs to avoid recovery (“delete shadow copies using WMI object,” “clear event logs”).
• [T1562] Impair Defenses – Disabling security software to avoid detection (“When successful, they would disable security software”).
• [T1055] Process Injection – Use of Restart Manager API to terminate processes locking files (“uses Restart Manager API to terminate processes during the encryption process”).
• [T1090] Proxy – Use of VPN vulnerabilities for initial access (“exploiting various vulnerabilities, including SonicWall Firewall CVE-2024-40766”).
• [T1110] Brute Force – Credential theft and reuse for accessing victims’ infrastructure (“stealing credentials, reconnaissance, privilege escalation”).
• [T1539] Data from Network Shared Drive – Encryption of network shares in victim environments (“accepts only drives with flags ‘DRIVE_REMOVABLE’, ‘DRIVE_FIXED’ and ‘DRIVE_REMOTE’ for encryption”).
• [T1543] Create or Modify System Process – Lynx terminates services and processes related to backups and databases to avoid file-sharing violations (“terminated services: sql, veeam, backup, exchange”).
• [T1588] Develop Capabilities – Use of ransomware builders and adapting leaked code (“Lynx has its own builder, supports Windows and Linux versions”).