Akira Ransomware Hits Nutanix VMs, Exposing Threats to Critical Sectors
Executive Summary
In early 2024, the Akira ransomware-as-a-service (RaaS) operation expanded its attack capabilities by targeting Nutanix virtual machines, allowing it to compromise both Windows and Linux workloads within critical infrastructure and enterprise environments. Attackers exploited new vulnerabilities and lateral movement techniques to rapidly deploy ransomware, encrypting data at scale and causing significant business disruption among targeted organizations. Notably, Akira’s evolving tooling enabled them to bypass certain traditional detection measures and exfiltrate sensitive information to pressure victims into ransom payment.
This campaign highlights the increasing sophistication of ransomware operators and the growing risk posed to hybrid and multicloud environments. The success of the Akira group against high-value sectors underscores the urgent need for advanced east-west traffic security, visibility, and robust segmentation strategies.
Why This Matters Now
Ransomware groups like Akira are quickly adapting to target virtualized and multi-cloud enterprise environments, posing heightened risks to business continuity and regulatory compliance. As more organizations rely on Nutanix and similar platforms, evolving threat actor tactics demand immediate attention to visibility, segmentation, and detection gaps in east-west traffic.
Attack Path Analysis
The attackers likely gained initial access to the Nutanix VM environment via exposed services or compromised credentials. Once inside, they escalated privileges to gain control over targeted workloads and resource roles. The adversaries then moved laterally across the network, accessing additional VMs and possibly leveraging inter-VM communications. Command and control was maintained, potentially using encrypted or covert channels, to manage systems and prepare for payload activity. Sensitive data was exfiltrated or prepared for ransomware encryption, possibly via outbound flows. Ultimately, the Akira ransomware was deployed, encrypting critical workloads and disrupting business operations.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited exposed or vulnerable Nutanix VM management interfaces or leveraged compromised credentials to gain a foothold in the cloud environment.
Related CVEs
CVE-2024-40766
CVSS 9.6A critical vulnerability in SonicWall SonicOS allows unauthorized access due to improper access control.
Affected Products:
SonicWall SonicOS – Gen 5, Gen 6, Gen 7
Exploit Status:
exploited in the wildCVE-2023-27532
CVSS 7.5A vulnerability in Veeam Backup & Replication allows unauthorized access to backup infrastructure.
Affected Products:
Veeam Backup & Replication – < 11.0.1.1261
Exploit Status:
exploited in the wildCVE-2024-40711
CVSS 8.8A vulnerability in Veeam Backup & Replication allows remote code execution due to improper input validation.
Affected Products:
Veeam Backup & Replication – < 12.0.0.1420
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Data Encrypted for Impact
System Services: Service Execution
User Execution
Remote Services: SMB/Windows Admin Shares
Ingress Tool Transfer
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Strong Authentication for Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 10
CISA Zero Trust Maturity Model v2.0 – Continuous Identity and Access Management
Control ID: Identity Pillar
NIS2 Directive – Implementation of Technical and Organisational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Akira ransomware targeting Nutanix VMs threatens patient data systems, requiring enhanced east-west traffic security and zero trust segmentation for HIPAA compliance.
Financial Services
Critical financial infrastructure faces Akira ransomware risks through VM exploitation, necessitating multicloud visibility, encrypted traffic protection, and anomaly detection capabilities.
Government Administration
Government systems running Nutanix infrastructure vulnerable to Akira attacks, demanding comprehensive threat detection, segmentation policies, and secure hybrid connectivity solutions.
Information Technology/IT
IT organizations managing Nutanix environments face direct exposure to Akira ransomware, requiring cloud-native security fabric and inline IPS protection strategies.
Sources
- Akira RaaS Targets Nutanix VMs, Threatens Critical Orgshttps://www.darkreading.com/threat-intelligence/akira-raas-nutanix-vms-critical-orgsVerified
- Akira ransomware is now targeting Nutanix VMs - and scoring big rewardshttps://www.techradar.com/pro/security/akira-ransomware-is-now-targeting-nutanix-vms-and-scoring-big-rewardsVerified
- Response to CISA Security Advisory Related to a Third Party Vulnerabilityhttps://www.nutanix.com/blog/response-to-cisa-security-advisory-related-to-a-third-party-vulnerability-allowing-the-targeting-of-major-hypervisor-vendorsVerified
- CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMshttps://www.bleepingcomputer.com/news/security/cisa-warns-of-akira-ransomware-linux-encryptor-targeting-nutanix-vms/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network segmentation, inline policy enforcement, east-west traffic controls, and proactive anomaly detection could have significantly contained or prevented movement across Nutanix VMs and mitigated both ransomware propagation and sensitive data egress.
Control: Multicloud Visibility & Control
Mitigation: Unauthorized access attempts would be detected and flagged for response.
Control: Zero Trust Segmentation
Mitigation: Privilege escalation paths would be limited to only approved communications.
Control: East-West Traffic Security
Mitigation: Lateral propagation across VMs would be prevented by strict east-west policy enforcement.
Control: Threat Detection & Anomaly Response
Mitigation: Covert C2 channels and abnormal management activity would trigger alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved data transfers to external destinations would be blocked or logged for response.
Propagation and execution of ransomware payloads would be contained within isolated segments.
Impact at a Glance
Affected Business Functions
- Data Storage
- Virtualization Services
- Backup and Recovery
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive virtual machine data and backup files due to unauthorized access and encryption by ransomware.
Recommended Actions
Key Takeaways & Next Steps
- • Implement identity-based segmentation and least privilege policies to restrict lateral movement and privilege escalation paths.
- • Enforce east-west traffic controls with microsegmentation to isolate sensitive VMs and workloads.
- • Establish comprehensive, real-time visibility and centralized monitoring across all cloud and hybrid environments.
- • Apply strict egress control and outbound policy enforcement to detect and block unapproved data exfiltration.
- • Deploy anomaly detection and automated response to rapidly identify and contain ransomware or C2 activity across cloud assets.
