- Akira now encrypts Nutanix AHV VM disk files using SonicWall and Veeam vulnerabilities
- CVE-2024-40766 enabled access to firewalls; Akira used remote tools for lateral movement
- Akira has extorted over $240 million; users are encouraged to patch and enforce MFA
The Akira ransomware operation is now also targeting Nutanix AHV VM disk files and is seeing great success, an updated security advisory released by the US Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Crime Center (DC3) and other agencies has said.
The update says Akira was observed encrypting Nutanix AHV VM disk files for the first time, in June 2025.
In the attack, the threat actors exploited an incorrect access control vulnerability in SonicWall SonicOS.
No surprises
Tracked as CVE-2024-40766 and given a severity score of 9.6/10 (Critical), this flaw allows unauthorized attackers to access various resources, leading to firewall crashes.
It affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and earlier versions, and was fixed in August 2024.
After gaining access, Akira would exploit CVE-2023-27532 or CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers and deploy legitimate tools such as AnyDesk or LogeMeIn for lateral movement and deletion of corporate backups.
Akira has previously made headlines with CVE-2024-40766 when it was used to breach at least 30 organizations. In late October 2024, reports from security researchers Arctic Wolf and Rapid7 warned users to patch immediately, as both Akira and Fog exploited the flaw to deploy encryptions.
The Nutanix AHV platform is a Linux-based virtualization solution designed to manage VMs on the Nutanix infrastructure. In his letter, Bleeping Computer says Akira’s pivot is “no surprise” since its previous targets VMware ESXi and Hyper-V are both virtualization solutions.
In the updated report, CISA also stated that by the end of September 2025, Akira managed to extort more than $240 million in ransomware attacks. Users are advised to keep their software updated, their endpoint protection strong and their multi-factor authentication enforced.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
