According to Dark Reading, multiple American and European government agencies including CISA, FBI, HHS, and Europol issued a joint advisory on November 13, 2025 warning that Akira ransomware poses an “imminent threat” to critical infrastructure. The group has collected nearly $245 million in ransom payments by late September 2025 and has over 1,000 known victims throughout its operations. Akira recently encrypted virtual machine disk files on Nutanix’s Acropolis Hypervisor (AHV) in a June 2025 attack, marking the first major threat actor to target this platform. The group has been exploiting critical vulnerabilities including CVE-2024-40711 in Veeam and CVE-2024-40766 in SonicWall, while using commercial RMM tools like AnyDesk and LogMeIn to disable security programs. Authorities noted Akira sometimes exfiltrates victim data in just over two hours, demonstrating their rapid operational tempo.
Akira’s New Playground
Here’s the thing about ransomware groups: they’re always looking for the path of least resistance. And Nutanix AHV represents exactly that. While everyone’s been focused on securing VMware ESXi and Microsoft Hyper-V, Akira found a third option that security teams probably aren’t monitoring as closely. Nutanix claims over 27,000 customers with nearly 90% AHV adoption – that’s a massive attack surface that includes critical organizations like the US Navy, Nasdaq, and Gatwick Airport. Basically, they found a back door that nobody was watching.
What makes this particularly clever? By targeting the hypervisor itself, Akira can disrupt multiple critical systems at once. We’re talking about infrastructure that runs entire operations – the kind of systems where every minute of downtime costs thousands. For industrial and manufacturing operations relying on these virtual environments, this isn’t just about data encryption – it’s about bringing production lines to a complete halt. When critical computing infrastructure goes down in these environments, having reliable industrial-grade hardware becomes absolutely essential, which is why companies turn to specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built to withstand these demanding environments.
Why Akira Got Overlooked
Cynthia Kaiser, former deputy director of the FBI’s Cybersecurity Division, makes a fascinating point about Akira’s evolution. Early on, they released an ineffective decryptor that created a “false sense of security” while the group quietly expanded their capabilities. It’s the classic cybercriminal bait-and-switch – look less dangerous than you actually are while building out your attack toolkit. Now they’re considered “one of the faster moving ransomware groups” according to experts.
Think about that trajectory. They went from being underestimated to pulling off two-hour data exfiltration operations. That’s insane speed for ransomware activity. Most organizations wouldn’t even detect a breach that quickly, let alone respond to it. And they’re using tools like SystemBC as both a proxy and remote access Trojan, plus StoneStop and PoorTry for process termination – it’s a sophisticated, multi-layered approach.
What Comes Next
So where does this leave us? Akira has demonstrated they’re not afraid to innovate and find new attack surfaces. The shift to Nutanix AHV suggests they’re systematically working through the hypervisor market looking for weak points. You have to wonder: which virtualization platform will they target next? And with their success exploiting edge device vulnerabilities, we’re likely to see more focus on network perimeter devices.
The $245 million ransom haul tells you everything you need to know about their business model – it’s working. That kind of money funds more development, more tools, more innovation in their criminal enterprise. For organizations running Nutanix environments, the wake-up call just got a lot louder. The hypervisor security conversation can’t just be about VMware and Microsoft anymore.
