Akira Ransomware Expands Targets to Nutanix AHV in Critical Sectors
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI and European law enforcement, has issued an updated advisory on the Akira ransomware operation, warning of its evolving tactics and heightened threat to critical infrastructure. The group has now added Nutanix AHV virtual machines to its list of targets, alongside previously exploited platforms like VMware ESXi and Hyper-V.
First detected in June 2025, Akira’s attacks on Nutanix hypervisors widely used in healthcare, finance, and government sectors were confirmed as recently as November 2025. The group, linked to Russian cybercriminals, has amassed $244.17 million in ransom payments and increasingly targets manufacturing, education, IT, healthcare, financial services, and food/agriculture sectors, despite its historical focus on small and medium businesses.
Akira affiliates gain initial access through multiple vectors, including:
- Exploiting CVE-2024-40766, a critical SonicWall SSL-VPN vulnerability affecting over 438,000 exposed devices (per BitSight research).
- Compromised VPN credentials, brute-force attacks, or password spraying (e.g., using SharpDomainSpray).
- Exploiting SSH on routers or unpatched Veeam Backup servers (CVE-2023-27532, CVE-2024-40711).
Once inside, attackers move laterally to Nutanix AHV platforms, deploying encryption payloads that risk exposing business-critical and sensitive data. Notably, Akira has bypassed multi-factor authentication (MFA) in some attacks by compromising one-time password seeds or generating fraudulent tokens.
The advisory includes updated indicators of compromise (IOCs) and mitigation strategies, though core defenses remain consistent: patching vulnerabilities, enforcing MFA, strong password policies, network segmentation, and maintaining secure backups.
Akira, an offshoot of the defunct Conti ransomware group, emerged in 2023 and has since claimed high-profile victims, including Lush, Stanford University, Tietoevry, and the Toronto Zoo. Its expansion to Nutanix AHV signals a sophisticated, adaptive threat requiring heightened vigilance across critical sectors.
Source: https://www.theregister.com/security/2025/11/14/akira-ransomware-starts-hitting-nutanix-ahv/2569385
Lush Fresh Handmade Cosmetics North America cybersecurity rating report: https://www.rankiteo.com/company/lushcosmetics
"id": "LUS1780770254",
"linkid": "lushcosmetics",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Retail',
'name': 'Lush',
'type': 'Company'},
{'industry': 'Education',
'location': 'USA',
'name': 'Stanford University',
'type': 'Educational Institution'},
{'industry': 'IT Services',
'name': 'Tietoevry',
'type': 'Company'},
{'industry': 'Entertainment/Recreation',
'location': 'Canada',
'name': 'Toronto Zoo',
'type': 'Organization'},
{'industry': ['Healthcare',
'Finance',
'Government',
'Manufacturing',
'Education',
'IT',
'Financial Services',
'Food/Agriculture'],
'size': ['Small', 'Medium', 'Large'],
'type': 'Organization'}],
'attack_vector': ['Exploiting CVE-2024-40766 (SonicWall SSL-VPN)',
'Compromised VPN credentials',
'Brute-force attacks',
'Password spraying',
'Exploiting SSH on routers',
'Exploiting unpatched Veeam Backup servers (CVE-2023-27532, '
'CVE-2024-40711)'],
'data_breach': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Business-critical and sensitive '
'data'},
'date_detected': '2025-06-01',
'date_publicly_disclosed': '2025-11-01',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA), alongside the FBI and European law enforcement, has '
'issued an updated advisory on the Akira ransomware operation, '
'warning of its evolving tactics and heightened threat to '
'critical infrastructure. The group has now added Nutanix AHV '
'virtual machines to its list of targets, alongside previously '
'exploited platforms like VMware ESXi and Hyper-V. Akira '
'affiliates gain initial access through multiple vectors, '
'including exploiting vulnerabilities, compromised VPN '
'credentials, and brute-force attacks. Once inside, attackers '
'move laterally to Nutanix AHV platforms, deploying encryption '
'payloads that risk exposing business-critical and sensitive '
'data.',
'impact': {'data_compromised': 'Business-critical and sensitive data',
'financial_loss': '$244.17 million (total ransom payments)',
'operational_impact': 'Risk of data exposure and encryption of '
'virtual machines',
'systems_affected': ['Nutanix AHV', 'VMware ESXi', 'Hyper-V']},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain',
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_paid': '$244.17 million (total)',
'ransomware_strain': 'Akira'},
'recommendations': ['Patching vulnerabilities',
'Enforcing MFA',
'Strong password policies',
'Network segmentation',
'Maintaining secure backups'],
'references': [{'source': 'CISA Advisory'}, {'source': 'BitSight Research'}],
'regulatory_compliance': {'regulatory_notifications': 'Yes (CISA advisory)'},
'response': {'enhanced_monitoring': 'Recommended',
'law_enforcement_notified': 'Yes (FBI, CISA, European law '
'enforcement)',
'network_segmentation': 'Recommended'},
'stakeholder_advisories': 'Updated advisory issued by CISA, FBI, and European '
'law enforcement',
'threat_actor': 'Akira Ransomware Group (linked to Russian cybercriminals)',
'title': 'Akira Ransomware Expands Targets to Nutanix AHV in Critical Sectors',
'type': 'Ransomware',
'vulnerability_exploited': ['CVE-2024-40766',
'CVE-2023-27532',
'CVE-2024-40711']}