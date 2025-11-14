Akira now encrypts Nutanix AHV VM disk files using SonicWall and Veeam vulnerabilities

CVE-2024-40766 enabled access to firewalls; Akira used remote tools for lateral movement

Akira has extorted over $240 million; users urged to patch and enforce MFA

The Akira ransomware operation is now also targeting Nutanix AHV VM disk files, and seeing considerable success, an updated security advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Crime Center (DC3), and other agencies has said.

The update states Akira was observed encrypting Nutanix AHV VM disk files for the first time, in June 2025.

In the attack, the threat actors abused an improper access control vulnerability in the SonicWall SonicOS.

No surprises

This bug, tracked as CVE-2024-40766, and given a severity score of 9.6/10 (critical), grants unauthorized attackers access to different resources, leading to firewall crashes.

It affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions, and was fixed in August 2024.

After gaining access, Akira would abuse CVE-2023-27532 or CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers, and deploy legitimate tools such as AnyDesk or LogeMeIn for lateral movement and deleting company backups.

Akira has been filling headlines with CVE-2024-40766 before, since it was used to successfully breach at least 30 organizations. In late October 2024, reports from security researchers Arctic Wolf and Rapid7 warned users to patch immediately since both Akira and Fog were leveraging the bug to deploy encryptors.

The Nutanix AHV platform is a Linux-based virtualization solution, designed to manage VMs on the Nutanix infrastructure. In its writeup, BleepingComputer says Akira’s pivot is “no surprise”, since its previous targets, VMware ESXi and Hyper-V are both virtualization solutions.

In the updated report, CISA also stated that as of late September 2025, Akira managed to extort more than $240 million in ransomware attacks. Users are advised to keep their software updated, their endpoint protection strong, and their multi-factor authentication - enforced.

