US authorities businesses are warning that the Akira ransomware operation has been noticed encrypting Nutanix AHV digital machines in assaults.
An up to date joint advisory from CISA, the FBI, the Division of Protection Cyber Crime Heart (DC3), the Division of Well being and Human Providers (HHS), and several other worldwide companions alerts that Akira ransomware has expanded its encryption capabilities Nutanix AHV VM disk information.
The advisory consists of new indicators of compromise and ways noticed by means of FBI investigations and third-party reporting as latest as November 2025.
Encrypting Nutanix VMs in assaults
The advisory warns that in June 2025 Akira actors began to encrypt disk information for Nutanix AHV digital machines.
“In a June 2025 incident, Akira menace actors encrypted Nutanix AHV VM disk information for the primary time, increasing their capabilities past VMware ESXi and Hyper-V by abusing Frequent Vulnerabilities and Exposures (CVE)-2024-40766 [Common Weakness Enumeration (CWE)-284: Improper Access Control], a SonicWall vulnerability,” reads the up to date advisory.
Nutanix’s AHV platform is a Linux-based virtualization resolution that runs and manages digital machines on Nutanix’s infrastructure.
As it’s extensively deployed, it’s no shock that ransomware gangs would start to focus on digital machines on this platform, as they do with VMware ESXi and Hyper-V.
Whereas CISA has not shared how Akira is concentrating on Nutanix AHV environments, Akira Linux encryptors analyzed by BleepingComputer try to encrypt information with the .qcow2 extension, which is the digital disk format utilized by Nutanix AHV.
Nonetheless, the .qcow2 file extension has been focused by Akira Linux encryptors since at the very least the top of 2024.
Moreover, Akira’s give attention to Nutanix VMs can also be not as developed as its concentrating on of VMware ESXi
The Linux encryptor makes use of esxcli and vim-cmd to gracefully shut down ESXi digital machines earlier than encrypting their disks, however for Nutanix AHV, it merely encrypts the .qcow2 information straight and doesn’t use the platform’s acli or ncli instructions to energy down AHV VMs.
Different updates
The up to date advisory additionally consists of new data on Akira’s intrusion strategies and post-compromise ways.
To breach company networks, Akira associates generally use stolen or brute-forced VPN and SSH credentials on uncovered routers and exploit SonicWall vulnerabilities (CVE-2024-40766) on uncovered firewalls.
As soon as they acquire entry, they exploit the CVE-2023-27532 or CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers to realize entry to and delete backups.
Inside a community, Akira members have been noticed utilizing utilities equivalent to nltest, AnyDesk, LogMeIn, Impacket’s wmiexec.py, and VB scripts to carry out reconnaissance, unfold laterally to different methods, and set up persistence. The menace actors additionally generally take away endpoint detection instruments and create new administrative accounts for persistence.
In a single incident, the attackers powered down a website controller VM, copied its VMDK information, connected them to a brand new VM, and extracted the NTDS.dit file and SYSTEM hive to acquire a website administrator account.
The advisory notes that the “Megazord” software beforehand linked to Akira operations seems to have been deserted since 2024.
Akira has exfiltrated information in as little as two hours throughout some assaults, and for command-and-control has relied on tunneling instruments equivalent to Ngrok to ascertain encrypted channels that bypass perimeter monitoring.
The advisory urges organizations to evaluation the up to date steerage and implement the really helpful mitigations.
CISA and the FBI additionally proceed to advocate common offline backups, enforced multifactor authentication, and fast patching of recognized exploited vulnerabilities.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and information, safety groups are shifting quick to maintain these new providers protected.
This free cheat sheet outlines 7 finest practices you can begin utilizing as we speak.
