Summary Points
- US agencies warn that the Akira ransomware has expanded to encrypt Nutanix AHV VM disk files, marking its first known targeting of this platform since June 2025.
- Akira primarily exploits vulnerabilities like CVE-2024-40766 to breach networks, using stolen credentials, exploiting exposed firewalls, and compromising backup servers to gain access and delete backups.
- The ransomware encrypts Nutanix AHV virtual disks directly (.qcow2 files) without powering down VMs, contrasting with its approach on VMware ESXi which involves graceful shutdowns.
- Attackers rapidly exfiltrate data, establish encrypted command channels via tunneling tools like Ngrok, and remove endpoint defenses, emphasizing the need for regular offline backups, multi-factor authentication, and prompt patching.
The Issue
In mid-2025, the Akira ransomware operation expanded its malicious activities by targeting Nutanix AHV virtual machine (VM) environments, marking a notable shift as they previously focused on other virtualization platforms like VMware ESXi and Hyper-V. The joint cybersecurity advisory from U.S. agencies including CISA, the FBI, and international partners reveals that Akira threat actors began encrypting Nutanix AHV VM disk files—specifically those with the .qcow2 extension—starting in June 2025, exploiting vulnerabilities such as CVE-2024-40766, a SonicWall vulnerability, to escalate their access. The attack methods involve breaching networks through stolen credentials and exploiting unpatched vulnerabilities in backup and security infrastructure, then deploying tools like nltest and Impacket to move laterally, often removing security tools and creating new admin accounts for persistence. Once inside, they exfiltrate data swiftly, sometimes within hours, and establish command channels using tunneling tools like Ngrok, making detection difficult. The reports highlight that this escalation affects organizations with Nantuix AHV deployments and serve as a warning to tighten security measures—like regular backups, multi-factor authentication, and prompt patching—to thwart future incursions.
The story is being reported by multiple U.S. government agencies, notably CISA and the FBI, based on investigations and incident reports collected through their ongoing cybersecurity monitoring and third-party submissions. Their warnings reflect a broader effort to alert organizations to evolving ransomware tactics, emphasizing the increasing sophistication and adaptability of Akira operators as they diversify their targets and adapt their attack techniques, making the protection of virtualization platforms more urgent than ever.
Potential Risks
The warning from CISA about the Akira ransomware targeting Linux-based systems, specifically aiming at Nutanix Virtual Machines (VMs), underscores a stark reality: similar cyberattacks could strike any business that relies on virtualized Linux environments for operations, data storage, or cloud infrastructure, potentially crippling their systems through encryption, halting workflows, encrypting critical data, and demanding hefty ransoms. Such an attack doesn’t just cause immediate operational downtime but can also lead to severe financial losses, data breaches, and damage to your company’s reputation, as malicious actors exploit vulnerabilities in your virtualization layers and security defenses. No matter your industry or size, if your business depends on VMs, the threat of ransomware like Akira poses a tangible risk—underscoring the urgent need for proactive cybersecurity measures, rigorous monitoring, and reliable backup strategies to safeguard your digital assets from devastating encryption and extortion.
Fix & Mitigation
Addressing cybersecurity threats promptly is critical to minimize damage and ensure the resilience of cloud and virtualized environments. When malicious actors deploy ransomware such as Akira targeting Linux-based Nutanix VMs, swift action can prevent extensive data loss, operational downtime, and financial repercussions.
Containment Measures
Immediately isolate affected VMs from the network to prevent the spread of ransomware. Implement network segmentation to limit lateral movement within the environment.
Detection and Analysis
Use intrusion detection systems (IDS) and security information and event management (SIEM) tools to identify malicious activity. Conduct forensic analysis to understand the scope and entry points of the attack.
Patch and Update
Apply patches and updates to vulnerable systems and software components specified by Nutanix and Linux vendors. Regularly update all firmware and security patches to reduce the attack surface.
Access Controls
Enforce strict access controls and multi-factor authentication (MFA) for all administrative accounts. Limit permissions to only what is necessary for each user.
Backup and Recovery
Ensure recent, immutable backups are available and test recovery procedures regularly. Use these backups to restore affected systems with minimal downtime.
Threat Removal and Removal
Remove malicious files and tools used by the ransomware. Conduct thorough malware scans on all potentially impacted systems.
Communication and Coordination
Notify relevant stakeholders and coordinate with cybersecurity agencies like CISA for threat intelligence and guidance. Maintain transparent communication to manage incident response effectively.
Future Prevention
Implement continuous monitoring and anomaly detection systems. Conduct regular security awareness training for staff to recognize and respond to threats promptly.
Prompt remediation following these steps is essential to reduce the impact of ransomware attacks and strengthen the security posture of virtualized workloads in accordance with NIST CSF guidelines.
Continue Your Cyber Journey
Discover cutting-edge developments in Emerging Tech and industry Insights.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
