CISA flags imminent threat as Akira ransomware starts hitting Nutanix AHV

Steven

CISA flags imminent threat as Akira ransomware starts hitting Nutanix AHV

Summary

The US Cybersecurity and Infrastructure Security Agency (CISA), working with the FBI and European partners, has updated an advisory warning that the Akira ransomware operation now targets Nutanix AHV virtual machines in addition to previously targeted VMware ESXi and Hyper-V platforms. Attacks against Nutanix hypervisors were observed as early as June and the advisory contains updated indicators of compromise (IOCs) and mitigations. Akira affiliates gain initial access through vulnerable VPN appliances (notably SonicWall CVE-2024-40766), compromised credentials, password spraying and by exploiting unpatched backup and replication software such as Veeam. The group has a broad sector focus and continues to evolve its tactics to bypass common protections.

Key Points

  • CISA, with FBI and European partners, issued an updated advisory on Akira, labelling it an imminent threat to critical sectors.
  • Akira has expanded to target Nutanix AHV VMs, adding to prior attacks on VMware ESXi and Hyper-V hypervisors.
  • Initial access vectors include VPN bugs (CVE-2024-40766 affecting SonicWall), compromised credentials, password spraying and SSH/router pivoting.
  • Affiliates exploit unpatched backup software (Veeam CVE-2023-27532 and CVE-2024-40711) during lateral movement before encrypting AHV VMs.
  • Targeted sectors: manufacturing, education, IT, healthcare and public health, financial services, food and agriculture, plus CNI organisations.
  • CISA published updated IOCs and recommended mitigations; core advice remains patching, MFA, strong passwords, backups and segmentation.
  • Security experts warn Akira can bypass some protections (including MFA in certain breaches) and that organisations must prioritise remediating known exploited vulnerabilities.
  • Akira’s criminal revenue is currently estimated at about $244.17 million; attacks date from its 2023 emergence as a Conti offshoot.

Content summary

The advisory, refreshed in November 2025, describes a clear escalation in Akira’s campaign: operators have broadened their hypervisor targets to include Nutanix AHV. CISA and partners observed compromises targeting Nutanix hypervisors since June but did not name affected organisations. The advisory reiterates how affiliates commonly gain initial access β€” notably via SonicWall SSL-VPN flaws (CVE-2024-40766), stolen or brute-forced VPN credentials, and password-spraying tools such as SharpDomainSpray.

Once inside, attackers move laterally, exploit public vulnerabilities in backup systems like Veeam, and then deploy encryption payloads against AHV-hosted VMs, risking loss of business-critical and sensitive data. The guidance includes updated IOCs and sector-specific mitigations (including K-12), though the recommended defensive measures mirror standard ransomware best practice.

Context and relevance

This advisory matters because Nutanix is widely used across healthcare, finance, government and other critical sectors β€” so successful AHV compromises have high impact. The shift from targeting only ESXi and Hyper-V to also hitting AHV highlights a trend: ransomware groups adapting to find the weakest link across virtualisation stacks and infrastructure software such as VPNs and backup products. For security teams, this advisory ties into ongoing concerns about exposed VPN appliances, unpatched backups, and credential theft or reuse. It underlines the need for rapid patching, robust access controls and segmentation to limit lateral movement.

Why should I read this?

Look β€” if you run Nutanix AHV, manage VPNs or care for backups, this is a proper heads-up. The advisory includes IOCs and concrete mitigations that could save you downtime and headaches. It’s short, actionable and directly relevant if you want to avoid being the next ransom headline.

Source

Source: https://www.theregister.com/2025/11/14/cisa_akira_ransomware/