CISA Alerts: Akira Ransomware Now Targets Linux, Nutanix VMs
▼ Summary
– US government agencies warn that Akira ransomware now encrypts Nutanix AHV virtual machines, expanding its targets beyond VMware ESXi and Hyper-V.
– Akira actors began encrypting Nutanix VM disk files in June 2025 by exploiting a SonicWall vulnerability (CVE-2024-40766) related to improper access control.
– The ransomware uses Linux encryptors to target .qcow2 files on Nutanix AHV but lacks the sophisticated shutdown commands it employs for VMware systems.
– Akira affiliates breach networks using stolen VPN/SSH credentials, exploit SonicWall and Veeam vulnerabilities, and use tools like AnyDesk and Impacket for lateral movement and persistence.
– CISA and FBI recommend mitigations including regular offline backups, multifactor authentication, and prompt patching of known vulnerabilities to defend against Akira attacks.
A significant cybersecurity alert has been issued by U.S. government agencies regarding the Akira ransomware group, which has expanded its operations to target Linux-based systems and Nutanix AHV virtual machines. This development marks a notable escalation in the threat landscape, as organizations using these platforms must now implement enhanced defensive measures to protect their infrastructure.
An updated joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and multiple international partners reveals that Akira ransomware actors have begun encrypting disk files on Nutanix AHV virtual machines. The advisory, which incorporates recent findings from FBI investigations and third-party reports up to November 2025, includes new indicators of compromise and detailed tactics used by the threat group.
In a June 2025 incident, Akira operators successfully encrypted Nutanix AHV VM disk files for the first time. This move represents a strategic expansion of their capabilities beyond more commonly targeted platforms like VMware ESXi and Hyper-V. The attackers exploited a specific SonicWall vulnerability, CVE-2024-40766, which relates to improper access control. Nutanix AHV is a widely deployed, Linux-based virtualization solution, making it an attractive target for ransomware gangs seeking to maximize their impact.
While CISA has not disclosed the exact methods Akira uses to infiltrate Nutanix AHV environments, analysis of Akira’s Linux encryptors shows they attempt to encrypt files with the .qcow2 extension, the virtual disk format utilized by Nutanix. Interestingly, Akira’s encryptors have targeted .qcow2 files since late 2024, but their approach to Nutanix environments appears less refined compared to their handling of VMware ESXi. For instance, the Linux encryptor uses commands like esxcli and vim-cmd to properly shut down ESXi virtual machines before encryption, but it does not employ equivalent Nutanix commands (acli or ncli) to power down AHV VMs, instead encrypting .qcow2 files directly.
The advisory also sheds light on Akira’s broader intrusion and post-compromise strategies. To gain initial access to corporate networks, Akira affiliates often use stolen or brute-forced credentials for VPN and SSH services on exposed routers. They also take advantage of SonicWall vulnerabilities, such as CVE-2024-40766, on internet-facing firewalls. Once inside, they exploit known vulnerabilities in Veeam Backup & Replication servers, specifically CVE-2023-27532 and CVE-2024-40711, to access and delete backup data, thereby complicating recovery efforts.
Inside the network, Akira actors have been observed using a variety of tools for reconnaissance, lateral movement, and maintaining persistence. These include nltest, remote access software like AnyDesk and LogMeIn, Impacket’s wmiexec.py script, and custom VB scripts. The threat actors frequently disable endpoint detection tools and create new administrative accounts to ensure continued access. In one documented case, the attackers powered down a domain controller VM, copied its virtual disk files, attached them to a new VM, and extracted critical domain data including the NTDS.dit file and SYSTEM hive to obtain domain administrator privileges.
Data exfiltration has occurred in as little as two hours during some Akira attacks. For command and control, the group often relies on tunneling tools such as Ngrok to establish encrypted communication channels that evade perimeter security monitoring. Notably, the “Megazord” tool, previously associated with Akira operations, appears to have been discontinued since 2024.
CISA and the FBI strongly urge all organizations to review the updated advisory and apply the recommended mitigations. Key defensive actions include maintaining regular offline backups, enforcing multifactor authentication across all critical systems, and promptly applying patches for known exploited vulnerabilities to reduce the risk of compromise.
(Source: Bleeping Computer)
