US authorities companies are warning that the Akira ransomware operation has been noticed encrypting Nutanix AHV digital machines in assaults.
An up to date joint advisory from CISA, the FBI, the Division of Protection Cyber Crime Middle (DC3), the Division of Well being and Human Companies (HHS), and several other worldwide companions alerts that Akira ransomware has expanded its encryption capabilities Nutanix AHV VM disk recordsdata.
The advisory consists of new indicators of compromise and techniques noticed by way of FBI investigations and third-party reporting as latest as November 2025.
Encrypting Nutanix VMs in assaults
The advisory warns that in June 2025 Akira actors began to encrypt disk recordsdata for Nutanix AHV digital machines.
“In a June 2025 incident, Akira risk actors encrypted Nutanix AHV VM disk recordsdata for the primary time, increasing their capabilities past VMware ESXi and Hyper-V by abusing Frequent Vulnerabilities and Exposures (CVE)-2024-40766 [Common Weakness Enumeration (CWE)-284: Improper Access Control], a SonicWall vulnerability,” reads the up to date advisory.
Nutanix’s AHV platform is a Linux-based virtualization resolution that runs and manages digital machines on Nutanix’s infrastructure.
As it’s broadly deployed, it’s no shock that ransomware gangs would start to focus on digital machines on this platform, as they do with VMware ESXi and Hyper-V.
Whereas CISA has not shared how Akira is focusing on Nutanix AHV environments, Akira Linux encryptors analyzed by BleepingComputer try and encrypt recordsdata with the .qcow2 extension, which is the digital disk format utilized by Nutanix AHV.
Nevertheless, the .qcow2 file extension has been focused by Akira Linux encryptors since not less than the top of 2024.
Moreover, Akira’s give attention to Nutanix VMs can be not as developed as its focusing on of VMware ESXi
The Linux encryptor makes use of esxcli and vim-cmd to gracefully shut down ESXi digital machines earlier than encrypting their disks, however for Nutanix AHV, it merely encrypts the .qcow2 recordsdata instantly and doesn’t use the platform’s acli or ncli instructions to energy down AHV VMs.
Different updates
The up to date advisory additionally consists of new info on Akira’s intrusion strategies and post-compromise techniques.
To breach company networks, Akira associates generally use stolen or brute-forced VPN and SSH credentials on uncovered routers and exploit SonicWall vulnerabilities (CVE-2024-40766) on uncovered firewalls.
As soon as they acquire entry, they exploit the CVE-2023-27532 or CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers to achieve entry to and delete backups.
Inside a community, Akira members have been noticed utilizing utilities akin to nltest, AnyDesk, LogMeIn, Impacket’s wmiexec.py, and VB scripts to carry out reconnaissance, unfold laterally to different programs, and set up persistence. The risk actors additionally generally take away endpoint detection instruments and create new administrative accounts for persistence.
In a single incident, the attackers powered down a site controller VM, copied its VMDK recordsdata, hooked up them to a brand new VM, and extracted the NTDS.dit file and SYSTEM hive to acquire a site administrator account.
The advisory notes that the “Megazord” software beforehand linked to Akira operations seems to have been deserted since 2024.
Akira has exfiltrated information in as little as two hours throughout some assaults, and for command-and-control has relied on tunneling instruments akin to Ngrok to ascertain encrypted channels that bypass perimeter monitoring.
The advisory urges organizations to evaluate the up to date steerage and implement the really helpful mitigations.
CISA and the FBI additionally proceed to suggest common offline backups, enforced multifactor authentication, and fast patching of recognized exploited vulnerabilities.
Whether or not you are cleansing up outdated keys or setting guardrails for AI-generated code, this information helps your crew construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
