U.S. government agencies are warning that the Akira ransomware operation has expanded its capabilities to encrypt Nutanix AHV virtual machines, marking a notable evolution in the malware’s Linux-based attack methods.
An updated joint advisory from CISA, the FBI, the Department of Defense Cyber Crime Center (DC3), the Department of Health and Human Services (HHS), and several international partners details new tactics, techniques, and indicators of compromise observed as recently as November 2025.
Akira Ransomware Expands to Nutanix VMs
The advisory notes that in June 2025, Akira actors began encrypting Nutanix AHV virtual machine disk files for the first time. Previously focused on VMware ESXi and Hyper-V environments, the ransomware leveraged CVE-2024-40766, a SonicWall vulnerability, to expand its access and impact.
“Nutanix AHV VM disk encryption represents an evolution in Akira’s targeting, extending its Linux-based ransomware operations to widely deployed virtual machine platforms,” the advisory states.
While specific attack methods against Nutanix AHV have not been publicly disclosed, analysis by cybersecurity researchers indicates that Akira Linux encryptors target files with the .qcow2 extension—the virtual disk format used by Nutanix AHV. Unlike its VMware ESXi operations, which gracefully shut down virtual machines using esxcli and vim-cmd commands, Akira encrypts .qcow2 files directly on Nutanix VMs without leveraging the platform’s native acli or ncli commands.
Intrusion and Post-Compromise Techniques
The advisory also outlines Akira’s broader intrusion methods and post-compromise activities. Threat actors frequently gain initial access using stolen or brute-forced VPN and SSH credentials on exposed routers, or by exploiting SonicWall vulnerabilities such as CVE-2024-40766. Once inside a network, Akira affiliates target unpatched Veeam Backup & Replication servers via CVE-2023-27532 or CVE-2024-40711, allowing them to access and delete backups to prevent recovery.
Within compromised networks, Akira operators conduct reconnaissance and lateral movement using utilities including nltest, AnyDesk, LogMeIn, Impacket’s wmiexec.py, and custom VB scripts. The attackers disable endpoint detection systems, create administrative accounts, and move laterally to high-value systems. In one documented incident, a domain controller VM was powered down, its VMDK files copied to a new VM, and the NTDS.dit and SYSTEM hive extracted to obtain domain administrator credentials.
Akira has also demonstrated rapid exfiltration capabilities, removing sensitive data in as little as two hours, and using tunneling tools such as Ngrok to establish encrypted command-and-control channels that bypass perimeter monitoring.
Operational Tools and Evolution
The advisory highlights that tools previously associated with Akira, such as “Megazord,” appear to have been abandoned since 2024. The ransomware’s Linux encryptors, however, continue to evolve, now efficiently targeting .qcow2 virtual disks while maintaining operational efficiency and destructive potential.
By focusing on Nutanix AHV alongside traditional VMware ESXi and Hyper-V platforms, Akira ransomware is expanding its reach into enterprise virtualized environments, underscoring the need for updated patches, robust backup strategies, and continuous monitoring of exposed network services.
