Full Report
Advisory updated as leading cybercrime crew opens up its target pool The US Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance to organizations on the Akira ransomware operation, which poses an imminent threat to critical sectors.…
Analysis Summary
# Threat Actor: Akira Ransomware Operation
## Attribution & Identity
* **Identification:** A leading cybercrime crew, identified by CISA, FBI, and European law enforcement partners.
* **Known Aliases/Associations:** Described as a "Russian ransomware outfit." Emerged in 2023 as one of several offshoots of an unspecified group. Associated with Fog ransomware crew in the exploitation of CVE-2024-40766.
## Activity Summary
Akira has expanded its capabilities and target pool. CISA has issued updated guidance indicating an imminent threat. The operation has recently evolved to specifically target Nutanix AHV virtual machines, supplementing previous attacks against VMware ESXi and Hyper-V hypervisors. Attacks against Nutanix hypervisors were observed as recently as June 2025, with advisory data current up to November 2025. The group is actively seeking to further its criminal revenues, currently estimated around $244.17 million.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting bugs in VPN products (specifically citing **CVE-2024-40766** targeting misconfigured SonicWall SSL-VPNs).
- **Initial Access (Alternative):** Gaining access via compromised VPN credentials (potentially through initial access brokers or brute-forcing VPN endpoints).
- **Credential Access:** Deploying password spraying techniques using tools such as **SharpDomainSpray**.
- **Initial Access (Alternative):** Gaining access via the Secure Shell (SSH) protocol by exploiting a router's IP address.
- **Lateral Movement:** Tunneling through targeted routers and exploiting publicly available vulnerabilities, such as those in unpatched **Veeam Backup and Replication components**.
- **Evasion:** Bypassing Multi-Factor Authentication (MFA) in some breaches by compromising one-time password seeds or generating authentication tokens.
- **Impact:** Lateral movement across victim networks culminating in the deployment of encryption payloads onto Nutanix AHV virtual machines.
## Targeting
- **Sectors:** Critical national infrastructure (CNI), manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture. Historically known for targeting small and medium businesses, but also targets larger organizations.
- **Geography:** Not explicitly detailed, but involves cooperation between US (CISA/FBI) and European law enforcement.
- **Victims (Claimed/Mentioned):** British bath bomb merchant **Raining Season**, **Imbria Health**, Finnish IT services provider **Tietoevry**, and an unnamed **US-based entity**.
## Tools & Infrastructure
- **Malware Families Used:** Akira Ransomware (encryption payloads).
- **Tools:** SharpDomainSpray.
- **Infrastructure:** Exploits targeting specific vulnerabilities (e.g., CVE-2024-40766, Veeam vulnerabilities). Updated Indicators of Compromise (IOCs) are available in the CISA advisory (AA24-109A).
## Implications
Akira is described as a "leading" and sophisticated operation that is advancing its techniques, notably by targeting modern virtualization platforms like Nutanix AHV. Their demonstrated capability to bypass MFA suggests they are successfully navigating advanced security controls, posing an imminent threat, especially to critical infrastructure sectors relying on these hypervisors.
## Mitigations
- Prioritize and immediately remediate known exploited vulnerabilities (e.g., patch bugs as soon as possible).
- Deploy Multi-Factor Authentication (MFA) as widely as possible.
- Enforce strong password policies.
- Maintain robust, segmented, and tested backups.
- Implement network segmentation.
- Keep all operating systems up to date.
- Specific mitigations exist for K-12 schools mentioned in the advisory.