Full Report
US government agencies are warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks. [...]
Analysis Summary
# Incident Report: Akira Ransomware Targeting Nutanix AHV VMs
## Executive Summary
The Akira ransomware operation has expanded its capabilities to specifically target and encrypt Nutanix AHV virtual machine disk files (.qcow2), marking an extension from previous targeting of VMware ESXi and Hyper-V. Attackers gained initial access via stolen/brute-forced VPN/SSH credentials or through the exploitation of known SonicWall vulnerabilities (CVE-2024-40766). The incident reporting focuses on observed TTPs, including the deployment of a Linux encryptor targeting AHV disks, reconnaissance, lateral movement, and data exfiltration, prompting a joint advisory from US Government agencies.
## Incident Details
- Discovery Date: As recent as November 2025 (based on updated advisory content)
- Incident Date: Nutanix VM encryption first observed in June 2025
- Affected Organization: Multiple, undisclosed organizations targeted globally
- Sector: Mixed (Implied critical infrastructure given agency involvement: Defense, Health, general Government)
- Geography: Global partners involved in the advisory
## Timeline of Events
### Initial Access
- Date/Time: Began focusing on AHV encryption in June 2025
- Vector: Exploited SonicWall vulnerability (CVE-2024-40766 - Improper Access Control) or via stolen/brute-forced VPN/SSH credentials.
- Details: Attackers leveraged known entry vectors to breach corporate networks.
### Lateral Movement
- Date/Time: Post-initial access, prior to encryption phase.
- Details: Attackers used utilities such as `nltest`, `AnyDesk`, `LogMeIn`, `Impacket`'s `wmiexec.py`, and VB scripts for reconnaissance and spreading. They specifically used Veeam vulnerabilities (CVE-2023-27532 or CVE-2024-40711) to access and delete backups. On one occasion, they powered down a Domain Controller VM, copied its VMDK files, attached them to a new VM, and extracted NTDS.dit and SYSTEM hive files to gain domain administrator access.
### Data Exfiltration/Impact
- Date/Time: Exfiltration observed as quickly as two hours in some attacks.
- Details: Threat actors encrypted Nutanix AHV VM disk files (.qcow2). Data theft occurred, though specific volume is not detailed. Impact includes operational disruption due to VM encryption.
### Detection & Response
- Date/Time: Ongoing investigation culminating in a joint advisory released in November 2025.
- Details: Detection was driven by FBI investigations and third-party reporting. A joint advisory (AA24-109a) was issued by CISA, FBI, DC3, HHS, and international partners to alert organizations.
## Attack Methodology
- Initial Access: Stolen/brute-forced VPN/SSH credentials; Exploitation of SonicWall CVE-2024-40766.
- Persistence: Creation of new administrative accounts; use of remote access tools (AnyDesk, LogMeIn).
- Privilege Escalation: Exploitation of Veeam Backup & Replication vulnerabilities (CVE-2023-27532/CVE-2024-40711); extraction of NTDS.dit/SYSTEM hive after manipulating DC VMs.
- Defense Evasion: Removal of endpoint detection tools.
- Credential Access: Likely obtaining credentials via successful initial access methods or extracting them from memory/files post-privilege escalation.
- Discovery: Use of utilities like `nltest` and general network/system enumeration.
- Lateral Movement: Use of `Impacket`'s `wmiexec.py` and PowerShell/VBScript execution.
- Collection: Targeting critical files, including domain control data (NTDS.dit).
- Exfiltration: Data exfiltration occurred, leveraging tools like Ngrok for encrypted C2 channels bypassing perimeter monitoring.
- Impact: Encryption of Nutanix AHV VM disk files (.qcow2). Note: Unlike ESXi targeting, the Linux encryptor did **not** use `acli` or `ncli` to gracefully shut down AHV VMs; it simply encrypted the files directly.
## Impact Assessment
- Financial: Not quantified in the advisory.
- Data Breach: Data exfiltration occurred, including sensitive system state files (NTDS.dit).
- Operational: Significant disruption due to the encryption of critical virtual machine infrastructure on the Nutanix platform.
- Reputational: Impact tied to government agencies issuing public warnings.
## Indicators of Compromise
- Network Indicators: Reliance on Ngrok for C2 traffic (defanged: **ngrok.com**).
- File Indicators: Targeting files with the **.qcow2** extension.
- Behavioral Indicators: Abuse of `nltest`, use of `Impacket` tools, removal of EDR, direct file-level encryption of AHV storage without using hypervisor control commands.
## Response Actions
- Containment: Not explicitly detailed, but implied measures based on vulnerability patching and C2 blocking.
- Eradication Steps: Inferred necessity to remove persistence mechanisms (new admin accounts) and eliminate the initial access vector (patching).
- Recovery Actions: Reviewing data integrity, restoring systems from offline backups (as per general CISA guidance).
## Lessons Learned
- Virtualization Platforms are High-Value Targets: Attackers rapidly adapt their encryption payloads to target widely used virtualization stacks like Nutanix AHV.
- Criticality of Backup Security: Attackers specifically target Veeam servers to delete backups, emphasizing the need to secure backup infrastructure from compromise.
- Weak Access Controls Are Critical: The use of CVE-2024-40766 (Improper Access Control) highlights the risk posed by unpatched infrastructure services like VPNs/firewalls.
## Recommendations
- Implement enforced Multi-Factor Authentication (MFA) globally, especially for VPN and SSH access.
- Immediately patch known exploited vulnerabilities, specifically CVE-2024-40766, CVE-2023-27532, and CVE-2024-40711.
- Ensure regular, **offline** backups are maintained and periodically tested for restorability.
- Review and restrict the use of remote access tools (AnyDesk, LogMeIn) within the environment.
- Harden service accounts used by remote management tools; monitor for unusual execution of Windows utilities (`nltest`, `wmiexec.py`) by non-administrator accounts.