The Akira ransomware group successfully compromised Nutanix AHV (Acropolis Hypervisor) virtual machines in June 2025 by exploiting CVE-2024-40766, a critical SonicWall vulnerability. This marked a dangerous expansion of their attack surface beyond VMware ESXi and Hyper-V environments. The breach involved rapid data exfiltration (as fast as two hours post-intrusion) and deployment of the Akira_v2 ransomware variant, which encrypted VM disk files, rendering critical infrastructure inoperable. The attack disrupted business operations, potentially halting production, service delivery, or data access for affected organizations. Given Nutanix’s role in enterprise cloud, hybrid, and hyperconverged infrastructure, the compromise threatened operational continuity, customer trust, and financial stability. The double-extortion model combining encryption with threats to leak sensitive data amplified the pressure on victims, with ransom demands escalating alongside the $244.17 million already extorted by Akira globally. The incident underscored vulnerabilities in unpatched systems, weak authentication (lack of MFA), and lateral movement risks via tools like Mimikatz and RDP abuse.
Source: https://gbhackers.com/akira-ransomware-2/
TPRM report: https://www.rankiteo.com/company/nutanix
"id": "nut0962209111425",
"linkid": "nutanix",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['manufacturing',
'education',
'information technology',
'healthcare/public health',
'financial services',
'food/agriculture'],
'location': ['North America', 'Europe', 'Australia'],
'size': ['SMBs', 'enterprises'],
'type': ['small/medium businesses',
'large organizations']}],
'attack_vector': ['exploitation of VPNs without MFA',
'known vulnerabilities (CVE-2020-3259, CVE-2023-20269, '
'CVE-2020-3580, CVE-2023-28252, CVE-2024-37085, '
'CVE-2023-27532, CVE-2024-40711, CVE-2024-40766)',
'spearphishing',
'stolen credentials (initial access brokers)',
'password spraying (SharpDomainSpray)',
'brute-force attacks (VPN/SSH)',
'unpatched Veeam backup servers'],
'customer_advisories': ['organizations urged to apply mitigations and report '
'incidents'],
'data_breach': {'data_encryption': ['hybrid scheme: ChaCha20 stream cipher + '
'RSA public-key cryptosystem'],
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['sensitive corporate data',
'potentially PII',
'financial records']},
'date_detected': '2023-03-01',
'date_publicly_disclosed': '2025-11-13',
'description': 'A newly updated cybersecurity advisory from federal agencies '
'reveals that the Akira ransomware operation has significantly '
'escalated its campaign, compromising organizations worldwide '
'and accumulating massive ransom proceeds through '
'sophisticated attack methods. The threat actors, associated '
'with groups like Storm-1567, Howling Scorpius, Punk Spider, '
'and Gold Sahara (with possible ties to the defunct Conti '
'ransomware group), have targeted small- and medium-sized '
'businesses as well as larger organizations across multiple '
'sectors. The campaign involves evolving attack methods, '
'including Windows/Linux variants, a Rust-based Megazord '
'encryptor, and exploitation of vulnerabilities like '
'CVE-2024-40766 (SonicWall) and multiple Cisco flaws. The '
'group employs double-extortion tactics, rapid data '
'exfiltration (as fast as 2 hours post-access), and advanced '
'persistence techniques such as credential scraping (Mimikatz, '
'LaZagne), lateral movement via RDP/SSH, and disabling '
'security software. As of September 2025, the operation has '
'amassed approximately $244.17 million in ransom proceeds.',
'impact': {'brand_reputation_impact': ['potential reputational damage due to '
'double-extortion threats'],
'data_compromised': True,
'financial_loss': '$244.17 million (ransom proceeds as of 2025-09)',
'identity_theft_risk': ['high (PII likely compromised in '
'exfiltrated data)'],
'operational_impact': ['encryption of critical systems',
'data exfiltration',
'disruption of backup systems (Volume '
'Shadow Copy deletion)'],
'payment_information_risk': ['high (financial data likely '
'targeted)'],
'systems_affected': ['Windows systems (C++ variant, .akira '
'extension)',
'Linux (VMware ESXi, April 2023)',
'Nutanix AHV VM disk files (June 2025)',
'Rust-based Megazord encryptor (.powerranges '
'extension)']},
'initial_access_broker': {'backdoors_established': ['new domain/local '
'accounts (e.g., '
"'itadm')"],
'entry_point': ['VPNs without MFA',
'exploited vulnerabilities',
'stolen credentials',
'phishing'],
'high_value_targets': ['critical infrastructure',
'financial services',
'healthcare']},
'investigation_status': 'ongoing (as of 2025-11-13)',
'lessons_learned': ['Rapid exfiltration (as fast as 2 hours post-access) '
'underscores need for real-time monitoring.',
'Lack of MFA on VPNs remains a critical initial access '
'vector.',
'Double-extortion tactics increase pressure on victims '
'beyond encryption.',
'Exploitation of unpatched systems (e.g., Veeam, '
'SonicWall) highlights patch management gaps.'],
'motivation': ['financial gain', 'data theft for extortion'],
'post_incident_analysis': {'corrective_actions': ['patch management overhaul',
'MFA enforcement',
'privileged access review',
'backup strategy revision '
'(offline/immutable)',
'EDR/XDR deployment for '
'threat detection'],
'root_causes': ['unpatched vulnerabilities (Cisco, '
'SonicWall, Veeam)',
'lack of MFA on VPNs/remote access',
'weak credential hygiene (password '
'spraying, reused credentials)',
'inadequate network segmentation',
'insufficient backup '
'immutability']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['Akira (C++ variant, .akira extension)',
'Akira Linux variant (VMware ESXi, April '
'2023)',
'Megazord (Rust-based, .powerranges '
'extension)',
'Akira_v2 (enhanced encryption/evasion, '
'2025)']},
'recommendations': ['Remediate all known exploited vulnerabilities '
'immediately.',
'Enforce phishing-resistant MFA for all services '
'(especially VPNs).',
'Maintain offline, immutable backups with regular '
'restoration tests.',
'Implement network segmentation to limit ransomware '
'lateral movement.',
'Deploy tools to detect abnormal activity (e.g., '
'credential scraping, data staging).',
'Disable unused ports/protocols and enforce '
'least-privilege access.',
'Audit administrative accounts and enforce time-based '
'access.',
'Do not pay ransom; report incidents to FBI IC3 or CISA.'],
'references': [{'date_accessed': '2025-11-13',
'source': 'FBI/CISA Joint Advisory (Akira Ransomware)'}],
'regulatory_compliance': {'regulatory_notifications': ['joint advisory by '
'FBI/CISA/HHS/DC3 '
'(2025-11-13)']},
'response': {'communication_strategy': ['advisory released by FBI/CISA '
'(2025-11-13)',
'reporting urged via IC3 or CISA'],
'enhanced_monitoring': ['deploy network monitoring tools for '
'abnormal activity'],
'law_enforcement_notified': ['FBI',
'CISA',
'DC3',
'HHS',
'international partners (Europe)'],
'network_segmentation': ['recommended to prevent ransomware '
'spread'],
'recovery_measures': ['restore from offline backups (tested '
'regularly)'],
'remediation_measures': ['remediate known exploited '
'vulnerabilities',
'enable phishing-resistant MFA',
'maintain offline/immutable backups',
'network segmentation',
'disable unused ports',
'long passwords (≥15 chars)',
'account lockouts after failed logins',
'audit admin privileges (least '
'privilege)']},
'stakeholder_advisories': ['FBI, CISA, DC3, HHS, international partners'],
'threat_actor': ['Akira ransomware group',
'Storm-1567',
'Howling Scorpius',
'Punk Spider',
'Gold Sahara'],
'title': 'Akira Ransomware Campaign Escalation (2023–2025)',
'type': ['ransomware', 'data breach', 'double extortion'],
'vulnerability_exploited': ['CVE-2020-3259 (Cisco)',
'CVE-2023-20269 (Cisco)',
'CVE-2020-3580 (Cisco)',
'CVE-2023-28252 (Cisco)',
'CVE-2024-37085 (Cisco)',
'CVE-2023-27532',
'CVE-2024-40711',
'CVE-2024-40766 (SonicWall)',
'unpatched Veeam backup servers']}