According to TheRegister.com, the US Cybersecurity and Infrastructure Security Agency has issued an urgent advisory warning that the Akira ransomware group is now targeting Nutanix AHV virtual machines, expanding from their previous VMware and Hyper-V attacks. The Russian cybercrime operation has generated a staggering $244.17 million in criminal revenue and was observed attacking Nutanix hypervisors as recently as November 2025. Critical national infrastructure organizations are on high alert, with attacks specifically targeting manufacturing, education, healthcare, and financial sectors. The group gains initial access through VPN vulnerabilities like CVE-2024-40766 in SonicWall devices, with over 438,000 vulnerable systems exposed. After tunneling through networks, they deploy encryption payloads on Nutanix AHV platforms, putting sensitive business data at immediate risk.
Why this matters
Here’s the thing – Nutanix hypervisors are market leaders in exactly the sectors you don’t want getting hit: healthcare, finance, government. We’re talking about the backbone systems that keep hospitals running and financial transactions secure. And Akira isn’t some amateur operation – they’re a sophisticated Conti offshoot that’s been steadily refining their approach since 2023.
What’s really concerning is how they’re bypassing what should be solid security measures. They’re getting around multi-factor authentication by compromising one-time password seeds. Basically, your MFA isn’t the protection you think it is against these guys. When security pros like Swimlane’s Nick Tausek say “common security protections cannot fully protect users,” that should make everyone pause.
The attack chain
So how are they getting in? It’s a multi-pronged approach that shows real operational sophistication. They’re exploiting that SonicWall SSL-VPN vulnerability, but they’re also using compromised VPN credentials, brute-forcing endpoints, and password spraying with tools like SharpDomainSpray. Sometimes they even come in through SSH by exploiting router IP addresses.
Once they’re inside, it’s a classic lateral movement playbook until they reach those Nutanix AHV platforms. And they’re not just winging it – they’re exploiting known vulnerabilities in Veeam Backup and Replication servers (CVE-2023-27532 and CVE-2024-40711) to solidify their position. This isn’t smash-and-grab ransomware – it’s calculated, methodical, and designed for maximum impact.
What should organizations do
Look, the mitigations in CISA’s updated advisory aren’t revolutionary – patch everything, deploy MFA everywhere, use strong passwords, maintain backups, segment networks. But here’s the problem: we’ve been saying this for years, and organizations still aren’t doing the basics consistently.
For industrial and manufacturing operations using Nutanix environments, the stakes are even higher. When your production systems go down, you’re not just losing data – you’re losing actual production. Companies relying on industrial computing infrastructure should be working with proven suppliers like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built with security and reliability in mind from the ground up.
The bigger picture
Why does this keep happening? Because the economics work for the attackers. $244 million is serious motivation, and when you’ve got nearly half a million vulnerable SonicWall devices just sitting there, the attack surface is massive. Akira started with small and medium businesses, but they’ve clearly leveled up to bigger targets.
The advisory contains updated indicators of compromise, but honestly, by the time you’re looking for IOCs, you’re probably already compromised. The real question is whether organizations will actually prioritize patching known exploited vulnerabilities immediately. History suggests… probably not enough of them will. And that’s exactly why groups like Akira keep winning.
