The Akira ransomware group exploited CVE-2024-40766 (a critical 9.6/10 severity flaw in SonicWall firewalls) to gain unauthorized access to Nutanix AHV virtualization environments. Once inside, attackers abused additional vulnerabilities (CVE-2023-27532 or CVE-2024-40711) in unpatched Veeam Backup & Replication servers to move laterally using legitimate remote tools like AnyDesk or LogMeIn. The attack resulted in the encryption of Nutanix AHV VM disk files, deletion of backups, and widespread operational disruption. As of September 2025, Akira had extorted over $240 million from victims, with at least 30 organizations breached via this method. The attack forced companies to halt VM operations, risking prolonged downtime, data loss, and financial extortion. CISA and DC3 warned of the campaign’s severity, urging immediate patching, MFA enforcement, and endpoint hardening to mitigate further damage. The incident underscores the growing threat of ransomware targeting virtualization platforms, where successful encryption can cripple entire IT infrastructures.
TPRM report: https://www.rankiteo.com/company/nutanix
"id": "nut2992529111425",
"linkid": "nutanix",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '30+ organizations (as of '
'2024-10)',
'type': ['enterprise organizations',
'government entities (implied by DoD '
'involvement)']}],
'attack_vector': ['exploitation of public-facing application (CVE-2024-40766 '
'in SonicWall SonicOS)',
'exploitation of backup vulnerabilities (CVE-2023-27532, '
'CVE-2024-40711 in Veeam)',
'legitimate remote tools (AnyDesk, LogMeIn) for lateral '
'movement'],
'customer_advisories': ['Patch SonicWall and Veeam vulnerabilities '
'immediately',
'Enforce MFA',
'Monitor for Akira ransomware indicators of '
'compromise (IoCs)'],
'data_breach': {'data_encryption': True,
'file_types_exposed': ['.vmdk', '.vhd', 'backup files'],
'sensitivity_of_data': 'high (enterprise VMs and backups)',
'type_of_data_compromised': ['VM disk files', 'backup data']},
'date_detected': '2025-06',
'date_publicly_disclosed': '2025-09',
'description': 'The Akira ransomware operation is now targeting Nutanix AHV '
'VM disk files by exploiting CVE-2024-40766 (SonicWall '
'SonicOS) and CVE-2023-27532/CVE-2024-40711 (Veeam Backup & '
'Replication). The group has extorted over $240 million as of '
'September 2025. Attackers used remote tools like AnyDesk and '
'LogMeIn for lateral movement and backup deletion. CISA, DC3, '
'and other agencies issued advisories urging patching and MFA '
'enforcement.',
'impact': {'brand_reputation_impact': 'high (due to widespread media coverage '
'and CISA advisories)',
'data_compromised': ['VM disk files (Nutanix AHV)',
'backup data (Veeam)'],
'financial_loss': '$240 million (extorted as of 2025-09)',
'operational_impact': ['encryption of VM disk files',
'deletion of backups',
'lateral movement across networks'],
'systems_affected': ['Nutanix AHV virtualization platforms',
'SonicWall Firewall (Gen 5, 6, 7)',
'Veeam Backup & Replication servers']},
'initial_access_broker': {'backdoors_established': ['AnyDesk', 'LogMeIn'],
'entry_point': 'SonicWall SonicOS vulnerability '
'(CVE-2024-40766)',
'high_value_targets': ['Nutanix AHV VM disk files',
'Veeam backups']},
'investigation_status': 'ongoing (as of 2025-09)',
'lessons_learned': ['Critical importance of patching firewall and backup '
'vulnerabilities (SonicWall, Veeam)',
'Need for MFA enforcement to prevent lateral movement',
'Risks of unmonitored remote access tools (AnyDesk, '
'LogMeIn)',
'Targeting of virtualization platforms (Nutanix AHV, '
'VMware ESXi, Hyper-V) by ransomware groups'],
'motivation': 'financial gain (ransomware extortion)',
'post_incident_analysis': {'corrective_actions': ['Mandatory patching '
'timelines for critical '
'infrastructure',
'MFA enforcement policies',
'Restriction of remote '
'access tools to authorized '
'personnel',
'Network segmentation '
'reviews',
'Backup integrity '
'monitoring'],
'root_causes': ['Unpatched critical '
'vulnerabilities in SonicWall and '
'Veeam',
'Lack of MFA enforcement',
'Over-reliance on vulnerable '
'remote access tools',
'Insufficient segmentation between '
'virtualization and backup '
'systems']},
'ransomware': {'data_encryption': True, 'ransomware_strain': 'Akira'},
'recommendations': ['Immediately patch SonicWall SonicOS (CVE-2024-40766) and '
'Veeam Backup & Replication (CVE-2023-27532, '
'CVE-2024-40711)',
'Enforce multi-factor authentication (MFA) across all '
'systems',
'Monitor for unauthorized use of remote access tools '
'(AnyDesk, LogMeIn)',
'Segment networks to limit lateral movement',
'Implement immutable backups to prevent deletion during '
'attacks',
'Update endpoint protection solutions to detect Akira '
'ransomware activity'],
'references': [{'date_accessed': '2025-09',
'source': 'CISA Advisory (via BleepingComputer)'},
{'date_accessed': '2025-09', 'source': 'TechRadar'},
{'date_accessed': '2024-10', 'source': 'Arctic Wolf Research'},
{'date_accessed': '2024-10', 'source': 'Rapid7 Analysis'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA advisory',
'DoD Cyber Crime '
'Center involvement']},
'response': {'communication_strategy': ['CISA advisory',
'media reports (BleepingComputer, '
'TechRadar)'],
'containment_measures': ['patching SonicWall and Veeam '
'vulnerabilities',
'enforcing MFA'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['CISA',
'Department of Defense Cyber Crime '
'Center (DC3)',
'Arctic Wolf',
'Rapid7']},
'stakeholder_advisories': ['CISA',
'DoD Cyber Crime Center',
'Nutanix',
'SonicWall',
'Veeam'],
'threat_actor': 'Akira ransomware group',
'title': 'Akira Ransomware Targets Nutanix AHV VM Disk Files via SonicWall '
'and Veeam Vulnerabilities',
'type': ['ransomware', 'data encryption', 'lateral movement'],
'vulnerability_exploited': [{'affected_products': ['SonicWall Firewall Gen 5',
'SonicWall Firewall Gen 6',
'SonicWall Gen 7 (SonicOS '
'7.0.1-5035 and older)'],
'cve_id': 'CVE-2024-40766',
'description': 'Improper access control in '
'SonicWall SonicOS (CVSS 9.6/10)',
'patch_available': True,
'patch_date': '2024-08'},
{'affected_products': ['Veeam Backup & '
'Replication (unpatched '
'versions)'],
'cve_id': 'CVE-2023-27532',
'description': 'Vulnerability in Veeam Backup & '
'Replication'},
{'affected_products': ['Veeam Backup & '
'Replication (unpatched '
'versions)'],
'cve_id': 'CVE-2024-40711',
'description': 'Vulnerability in Veeam Backup & '
'Replication'}]}