Akira ransomware targeting Nutanix AHV

Threat summary

On November 13, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with a number of intelligence agencies, released an update to advisory AA24-109A detailing new tactics, techniques, and procedures (TTPs) used by Akira ransomware actors.

The update highlights expanded targeting of virtual environments, credential harvesting from backup systems, and rapid data exfiltration—developments that reflect Akira’s continued evolution and impact across multiple sectors.

Akira has been active since March 2023 and is associated with threat clusters such as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara. The group is believed to have ties to the now-defunct Conti ransomware gang.

According to CISA, as of September 2025, Akira has extorted over USD 244 million from more than 250 victims. Targeted sectors include manufacturing, education, information technology, healthcare, finance, and agriculture.

The latest Akira_v2 variant is written in Rust, which improves performance and stability while making detection and reverse engineering more difficult. Rust’s cross-platform support also enables efficient targeting of both Linux and Windows environments.

Akira now appends encrypted files with extensions such as .akira, .powerranges, .akiranew, or .aki. It includes thread control for faster encryption and build ID validation to prevent execution in unauthorized environments. Data exfiltration has been observed within two hours of initial access using tools including FileZilla, WinSCP, RClone, and Ngrok. Akira also continues to employ double extortion tactics, threatening to leak stolen data via its Tor-based leak site.

A notable development in this update is Akira’s ability to encrypt Nutanix Acropolis Hypervisor (AHV) virtual machine disk files, in addition to previously known targets such as VMware ESXi and Microsoft Hyper-V.

Attackers were observed obtaining initial access through SonicWall or Veeam Backup & Replication vulnerabilities; then moving laterally to reach Nutanix environments, using valid credentials or remote access tools to locate and encrypt AHV-managed virtual machine disk files.

Analyst insight

Nutanix AHV is a virtualization platform integrated into Nutanix’s hyperconverged infrastructure (HCI) stack and is widely adopted to deliver virtualized workloads across private and hybrid cloud environments.

Threat actors targeting Nutanix AHV aim to maximize operational disruption and increase leverage during extortion. Nutanix AHV is a core component of many organizations’ virtual infrastructure, particularly in environments managed by enterprises and managed service providers (MSPs). It hosts critical virtual machines that support business applications, databases, and services. Encrypting AHV disk files can paralyze entire workloads, making recovery complex and time-consuming.

Because Nutanix HCI integrates computing, storage, and virtualization into a single platform, compromising AHV can affect multiple systems and services at once—increasing the likelihood a victim will pay to restore access. Additionally, if backups are hosted on the same infrastructure or not properly segmented, they may also be encrypted or deleted, reducing recovery options and increasing ransom pressure.

Field Effect MDR helps defend against Akira ransomware threats by detecting early behaviors such as credential harvesting, remote access tool deployment, and lateral movement. Our SOC has been actively investigating Akira campaigns, including those targeting SonicWall VPN appliances.

By correlating activity across systems and applying threat intelligence—such as tracking exploitation attempts against SonicWall and Veeam vulnerabilities—Field Effect enables rapid containment and strengthens the proactive defense of virtual environments before encryption can occur.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up