Akira ransomware is now targeting Nutanix VMs - and scoring big rewards

News
By published

Criminals are expanding their reach with Akira ransomware

Ransomware
(Image credit: Pixabay)
  • Akira now encrypts Nutanix AHV VM disk files using SonicWall and Veeam vulnerabilities
  • CVE-2024-40766 enabled access to firewalls; Akira used remote tools for lateral movement
  • Akira has extorted over $240 million; users urged to patch and enforce MFA

The Akira ransomware operation is now also targeting Nutanix AHV VM disk files, and seeing considerable success, an updated security advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Crime Center (DC3), and other agencies has said.

The update states Akira was observed encrypting Nutanix AHV VM disk files for the first time, in June 2025.

In the attack, the threat actors abused an improper access control vulnerability in the SonicWall SonicOS.

No surprises

This bug, tracked as CVE-2024-40766, and given a severity score of 9.6/10 (critical), grants unauthorized attackers access to different resources, leading to firewall crashes.

It affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions, and was fixed in August 2024.

After gaining access, Akira would abuse CVE-2023-27532 or CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers, and deploy legitimate tools such as AnyDesk or LogeMeIn for lateral movement and deleting company backups.

Akira has been filling headlines with CVE-2024-40766 before, since it was used to successfully breach at least 30 organizations. In late October 2024, reports from security researchers Arctic Wolf and Rapid7 warned users to patch immediately since both Akira and Fog were leveraging the bug to deploy encryptors.

The Nutanix AHV platform is a Linux-based virtualization solution, designed to manage VMs on the Nutanix infrastructure. In its writeup, BleepingComputer says Akira’s pivot is “no surprise”, since its previous targets, VMware ESXi and Hyper-V are both virtualization solutions.

In the updated report, CISA also stated that as of late September 2025, Akira managed to extort more than $240 million in ransomware attacks. Users are advised to keep their software updated, their endpoint protection strong, and their multi-factor authentication - enforced.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.