Two sophisticated ransomware groups, Akira and Lynx, are increasingly targeting managed service providers and small businesses with advanced techniques that exploit stolen credentials and vulnerabilities. Together, these operations have compromised over 365 organizations, showcasing their effectiveness in accessing high-value infrastructure providers. The Akira group, which has targeted 220 victims including major firms like Hitachi Vantara, has shifted its tactics from traditional phishing to leveraging stolen administrative credentials. Meanwhile, Lynx has struck about 145 victims, focusing on private businesses and critical infrastructure, including a CBS affiliate in Chattanooga, Tennessee. Both groups employ double extortion tactics, combining file encryption with data theft to pressure their victims into paying ransoms.
While discussing ransomware, the U.S. Cybersecurity and Infrastructure Security Agency has announced the public release of Thorium, an open-source platform designed for malware and forensic analysis. Thorium can automate tasks and handle over 1,700 jobs per second while processing more than 10 million files per hour. This platform improves cybersecurity operations by integrating various tools and supports software analysis, digital forensics, and incident response, allowing analysts to efficiently address complex malware threats. It aims to empower a wider audience, including IT professionals without in-house malware analysis capabilities, to perform effective preliminary analyses and better manage risks. For installation instructions and access, users can visit CISA’s official GitHub repository.
Additionally, SonicWall is urging its customers to disable SSL Virtual Private Network after reports of ransomware attacks targeting its systems surfaced. This warning comes after Google’s announcement that its AI-powered bug hunter, Big Sleep, has identified 20 security vulnerabilities in popular open-source software, including FFmpeg and ImageMagick. Heather Adkins, Google’s vice president of security, mentioned that although these vulnerabilities have not yet been fixed, their discovery demonstrates AI’s potential in automating vulnerability detection. However, concerns remain about the reliability of AI-generated bug reports, with some developers experiencing false positives.
And… A recently discovered prompt-injection vulnerability in Google’s Gemini AI chatbot presents serious security risks, enabling attackers to craft convincing phishing campaigns. Researchers have shown that by embedding malicious instructions within emails, attackers can manipulate the chatbot to generate fake security alerts, potentially deceiving users into revealing sensitive information. This flaw does not rely on links or attachments and exploits designed HTML and CSS within the email body. Although Google has previously tried to address similar vulnerabilities, researchers from the security firm 0din warn that this technique remains effective. The impact could go beyond Gemini, possibly affecting other Google Workspace products, as malicious actors might exploit this vulnerability to compromise multiple accounts through automated systems. Security experts advise strengthening defenses, including sanitizing HTML inputs and monitoring chatbot outputs for sensitive data.
Why do we care?
SPs, you’re now prime targets—again. Akira and Lynx, two ransomware gangs, have hit over 365 organizations, including MSPs and SMBs, using stolen admin credentials and skipping the phishing. This isn’t theoretical—it’s infrastructure-level compromise.
Add to that: CISA dropped Thorium, an open-source malware analysis engine that chews through 10 million files an hour. That’s a gift—if you use it. Most of you don’t have a malware lab, and now you don’t need one. No excuses.
But here’s the other side: SonicWall VPNs are under attack, and customers are being told to shut them off. You better be on top of that—or ready to answer hard questions.
And let’s not ignore Google. Their AI bot Gemini has a prompt-injection bug—attackers don’t need links or attachments, just clever HTML. That means your Google Workspace installs are now phishing vectors from the inside out.
The stacks we rely on—SonicWall, Google, even AI detection—are full of holes. The bad guys are evolving. Are you?