US authorities businesses are warning that the Akira ransomware operation has been noticed encrypting Nutanix AHV digital machines in assaults.
An up to date joint advisory from CISA, the FBI, the Division of Protection Cyber Crime Middle (DC3), the Division of Well being and Human Companies (HHS), and several other worldwide companions alerts that Akira ransomware has expanded its encryption capabilities Nutanix AHV VM disk information.
The advisory consists of new indicators of compromise and techniques noticed by means of FBI investigations and third-party reporting as latest as November 2025.
Encrypting Nutanix VMs in assaults
The advisory warns that in June 2025 Akira actors began to encrypt disk information for Nutanix AHV digital machines.
“In a June 2025 incident, Akira menace actors encrypted Nutanix AHV VM disk information for the primary time, increasing their capabilities past VMware ESXi and Hyper-V by abusing Frequent Vulnerabilities and Exposures (CVE)-2024-40766 [Common Weakness Enumeration (CWE)-284: Improper Access Control], a SonicWall vulnerability,” reads the up to date advisory.
Nutanix’s AHV platform is a Linux-based virtualization answer that runs and manages digital machines on Nutanix’s infrastructure.
As it’s extensively deployed, it’s no shock that ransomware gangs would start to focus on digital machines on this platform, as they do with VMware ESXi and Hyper-V.
Whereas CISA has not shared how Akira is concentrating on Nutanix AHV environments, Akira Linux encryptors analyzed by BleepingComputer try and encrypt information with the .qcow2 extension, which is the digital disk format utilized by Nutanix AHV.
Nonetheless, the .qcow2 file extension has been focused by Akira Linux encryptors since a minimum of the tip of 2024.
Moreover, Akira’s deal with Nutanix VMs can also be not as developed as its concentrating on of VMware ESXi
The Linux encryptor makes use of esxcli and vim-cmd to gracefully shut down ESXi digital machines earlier than encrypting their disks, however for Nutanix AHV, it merely encrypts the .qcow2 information straight and doesn’t use the platform’s acli or ncli instructions to energy down AHV VMs.
Different updates
The up to date advisory additionally consists of new data on Akira’s intrusion strategies and post-compromise techniques.
To breach company networks, Akira associates generally use stolen or brute-forced VPN and SSH credentials on uncovered routers and exploit SonicWall vulnerabilities (CVE-2024-40766) on uncovered firewalls.
As soon as they achieve entry, they exploit the CVE-2023-27532 or CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers to realize entry to and delete backups.
Inside a community, Akira members have been noticed utilizing utilities similar to nltest, AnyDesk, LogMeIn, Impacket’s wmiexec.py, and VB scripts to carry out reconnaissance, unfold laterally to different methods, and set up persistence. The menace actors additionally generally take away endpoint detection instruments and create new administrative accounts for persistence.
In a single incident, the attackers powered down a site controller VM, copied its VMDK information, hooked up them to a brand new VM, and extracted the NTDS.dit file and SYSTEM hive to acquire a site administrator account.
The advisory notes that the “Megazord” device beforehand linked to Akira operations seems to have been deserted since 2024.
Akira has exfiltrated knowledge in as little as two hours throughout some assaults, and for command-and-control has relied on tunneling instruments similar to Ngrok to ascertain encrypted channels that bypass perimeter monitoring.
The advisory urges organizations to evaluation the up to date steerage and implement the really useful mitigations.
CISA and the FBI additionally proceed to suggest common offline backups, enforced multifactor authentication, and fast patching of identified exploited vulnerabilities.
It is funds season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, establish rising developments, and examine their priorities as they head into 2026.
Learn the way high leaders are turning funding into measurable impression.
