US authorities businesses are warning that the Akira ransomware operation has been noticed encrypting Nutanix AHV digital machines in assaults.
An up to date joint advisory from CISA, the FBI, the Division of Protection Cyber Crime Heart (DC3), the Division of Well being and Human Providers (HHS), and a number of other worldwide companions alerts that Akira ransomware has expanded its encryption capabilities Nutanix AHV VM disk information.
The advisory contains new indicators of compromise and ways noticed via FBI investigations and third-party reporting as current as November 2025.
Encrypting Nutanix VMs in assaults
The advisory warns that in June 2025 Akira actors began to encrypt disk information for Nutanix AHV digital machines.
“In a June 2025 incident, Akira risk actors encrypted Nutanix AHV VM disk information for the primary time, increasing their capabilities past VMware ESXi and Hyper-V by abusing Frequent Vulnerabilities and Exposures (CVE)-2024-40766 [Common Weakness Enumeration (CWE)-284: Improper Access Control], a SonicWall vulnerability,” reads the up to date advisory.
Nutanix’s AHV platform is a Linux-based virtualization answer that runs and manages digital machines on Nutanix’s infrastructure.
As it’s extensively deployed, it’s no shock that ransomware gangs would start to focus on digital machines on this platform, as they do with VMware ESXi and Hyper-V.
Whereas CISA has not shared how Akira is concentrating on Nutanix AHV environments, Akira Linux encryptors analyzed by BleepingComputer try to encrypt information with the .qcow2 extension, which is the digital disk format utilized by Nutanix AHV.
Nevertheless, the .qcow2 file extension has been focused by Akira Linux encryptors since at the very least the tip of 2024.
Moreover, Akira’s give attention to Nutanix VMs can be not as developed as its concentrating on of VMware ESXi
The Linux encryptor makes use of esxcli and vim-cmd to gracefully shut down ESXi digital machines earlier than encrypting their disks, however for Nutanix AHV, it merely encrypts the .qcow2 information immediately and doesn’t use the platform’s acli or ncli instructions to energy down AHV VMs.
Different updates
The up to date advisory additionally contains new info on Akira’s intrusion strategies and post-compromise ways.
To breach company networks, Akira associates generally use stolen or brute-forced VPN and SSH credentials on uncovered routers and exploit SonicWall vulnerabilities (CVE-2024-40766) on uncovered firewalls.
As soon as they acquire entry, they exploit the CVE-2023-27532 or CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers to realize entry to and delete backups.
Inside a community, Akira members have been noticed utilizing utilities similar to nltest, AnyDesk, LogMeIn, Impacket’s wmiexec.py, and VB scripts to carry out reconnaissance, unfold laterally to different programs, and set up persistence. The risk actors additionally generally take away endpoint detection instruments and create new administrative accounts for persistence.
In a single incident, the attackers powered down a site controller VM, copied its VMDK information, hooked up them to a brand new VM, and extracted the NTDS.dit file and SYSTEM hive to acquire a site administrator account.
The advisory notes that the “Megazord” software beforehand linked to Akira operations seems to have been deserted since 2024.
Akira has exfiltrated knowledge in as little as two hours throughout some assaults, and for command-and-control has relied on tunneling instruments similar to Ngrok to ascertain encrypted channels that bypass perimeter monitoring.
The advisory urges organizations to evaluate the up to date steering and implement the really helpful mitigations.
CISA and the FBI additionally proceed to suggest common offline backups, enforced multifactor authentication, and fast patching of recognized exploited vulnerabilities.
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your group construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
