Close Menu

Akira RaaS Sets Sight on Nutanix VMs, Poses Threat to Key Organizations

Staff WriterBy No Comments5 Mins Read0 Views

Top Highlights

  1. Imminent Threat: U.S. and European agencies warn that Akira ransomware poses a severe and immediate risk to critical infrastructure, particularly targeting sectors like healthcare and manufacturing.

  2. Rapid Operations: The Akira group is distinguished by its ability to quickly exfiltrate victim data, employing new malware tools and targeting previously underexplored attack surfaces, such as hypervisor technologies.

  3. Shift to New Targets: Akira has expanded its focus to include Nutanix’s Acropolis Hypervisor, aiming at a significant player in the market with 27,000 customers, including critical organizations.

  4. Evolving Tactics: The group exploits known vulnerabilities and utilizes commercial RMM tools to bypass security measures, having amassed nearly $245 million in ransom payments from over a thousand victims.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Akira RaaS Targets Nutanix VMs, Threatens Critical Orgs’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

Multiple American and European government agencies warned that recent Akira ransomware activity poses an “imminent threat” to critical infrastructure.

As with most cybercrime groups, the Akira ransomware-as-a-service (RaaS) operation likes to punch down by extorting small and medium-sized businesses (SMBs). It has also gone at bigger fish, in often critical sectors like healthcare, manufacturing, and agriculture.

Highlighting its ongoing threat to critical sectors, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), the FBI, and law enforcement bodies from France, Germany, the Netherlands, and Europol released a joint advisory on Thursday regarding Akira’s latest indicators of compromise (IoC) and tactics, techniques, and procedures (TTPs). Most notably, they pointed out how quickly the group has been exfiltrating victim data, using a variety of new malware tools and software vulnerabilities it has been using, and shifting to a whole new hypervisor attack surface hardly touched by threat actors before it.

In times past, “many observers were slower to recognize Akira as a major threat because an ineffective decryptor released early in its life cycle created a false sense of security, even as the group continued to expand its capabilities and accelerate its operational tempo,” says Cynthia Kaiser, former deputy director of the FBI’s Cybersecurity Division and now senior vice president of Halcyon’s Ransomware Research Center. For at least a couple of years now, though, it has been a top-tier operation, and “one of the faster moving ransomware groups we track,” she says.

Related:Google Looks to Dim ‘Lighthouse’ Phishing-as-a-Service Op

Attackers Discover Nutanix AHV

In its time studying Akira, the team at Arctic Wolf Labs recalls that “what really sets Akira apart is how quickly they can stage a compromised environment for encryption.”

A key enabler, they say, “is their early focus on virtual infrastructure. By gaining control of virtual machine (VM) storage and hypervisor platforms, they can disrupt multiple critical systems at once.” And in this respect, over recent months, Akira has only doubled down.

Historically, Akira has attacked the market-leading hypervisors ESXi (VMware) and Hyper-V (Microsoft). In a June 2025 attack, though, the group encrypted virtual machine disk files associated with a smaller competitor, Nutanix’s Acropolis Hypervisor (AHV).

On its website, Nutanix claims to serve more than 27,000 customers, including organizations in some critical sectors, like the US Navy, Nasdaq, London’s Gatwick airport, and more. Its customers are spread globally, and financial analysts have noted that the company has grown consistently in recent years. They’ve also noted that AHV adoption among those customers sits just shy of 90%. In other words, AHV is a lesser-known but substantial market player, serving more than a few critical organizations.

Related:Data Leak Outs Hacker Students of Iran’s MOIS Training Academy

Not only is AHV a potentially lucrative target for ransomware actors, but it’s also not a place where cybersecurity defenders might be inclined to look. Where ESXi is frequently targeted by hackers — and, to a lesser extent, Hyper-V — Akira appears to be the first major threat actor to aim its sights at AHV.

What Else Is New with Akira

Authorities also recorded a number of other new developments in Akira’s tactics. For instance, it’s been exploiting a handful of known, fixable vulnerabilities in edge devices, including the critical CVE-2024-40711 (Veeam, deserialization of untrusted data) and CVE-2024-40766 (SonicWall, improper access control).

It’s been using commercial remote management and monitoring (RMM) tools like AnyDesk and LogMeIn to perform administrator-type actions in victim networks, primarily for the purpose of undermining security programs like firewalls, antivirus engines, and endpoint detection and response (EDR) platforms.

Related:North Korea’s BlueNoroff Expands Scope of Crypto Heists

A few random malware tools have been cropping in its arsenal, too. Akira actors have been seen using “SystemBC” both as a proxy bot and remote access Trojan (RAT), and the dual threat of “StoneStop” and “PoorTry” — a Windows utility and malicious driver, respectively — for process termination.

As evidence of Akira’s tactical success, authorities noted that the group has sometimes exfiltrated victims’ data in just over two hours’ time. And by late September 2025 — without counting its latest activity — Akira had already collected just shy of $245 million in ransom payments.

The Arctic Wolf Labs team adds that “publicly, more than a thousand total Akira victims are known throughout their tenure. The real number is almost certainly higher.”

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Expand Your Tech Knowledge

Learn how the Internet of Things (IoT) is transforming everyday life.

Stay inspired by the vast knowledge available on Wikipedia.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Comments are closed.