Monday 06 July 2026 22:42:16 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Ransomware & Extortion

Akira Ransomware Hunts for New Prey: Nutanix VMs at Risk

A dangerous cybercrime syndicate has set its sights on overlooked technology, threatening critical sectors with swift, sophisticated attacks.

Fast Facts

  • Akira ransomware now targets Nutanix Acropolis Hypervisor (AHV) virtual machines, a first for major cybercrime groups.
  • US and European agencies warn of an "imminent threat" to critical infrastructure, including healthcare and manufacturing.
  • Akira’s attacks are fast-sometimes exfiltrating sensitive data in just over two hours.
  • Over $245 million in ransom payments have been collected by Akira as of September 2025.
  • Akira exploits both known software vulnerabilities and legitimate remote management tools to breach networks.

The New Frontier: Virtual Machines Under Siege

Imagine a digital wolfpack slipping through the shadows, bypassing the usual guards to strike at the heart of the herd. That’s the threat Akira now poses to Nutanix’s Acropolis Hypervisor (AHV)-a virtual machine (VM) platform used by thousands of organizations, many in critical sectors like the US Navy and major stock exchanges. While most ransomware gangs have long stalked the well-trodden fields of VMware’s ESXi and Microsoft’s Hyper-V, Akira is the first major group to target Nutanix’s lesser-known, but widely deployed, AHV. This pivot is significant: hypervisors are the invisible engines that keep modern data centers running, and compromising them lets attackers disrupt dozens or even hundreds of systems at once.

Akira’s Playbook: Speed, Sophistication, and Stealth

What makes Akira so menacing isn’t just its choice of prey. The group is alarmingly fast-security researchers have clocked them stealing sensitive data in barely two hours. Their toolkit blends old-school hacking with new tricks: they exploit well-known vulnerabilities (like flaws in Veeam and SonicWall software) and hijack legitimate remote management programs such as AnyDesk and LogMeIn. These tools, meant to help IT teams, are turned against victims to disable security defenses and open the gates for attack.

Akira also employs a mix of off-the-shelf malware, including the SystemBC proxy bot and custom drivers that knock out protective processes. Their methods have evolved rapidly, surprising experts who once underestimated the group due to a faulty early decryptor that gave victims false hope. Today, Akira is recognized as one of the fastest and most prolific ransomware operations in the wild.

A Growing Threat to Critical Sectors

Since its emergence, Akira has racked up over a thousand known victims, with the true tally likely far higher. The group’s shift to Nutanix AHV is especially concerning because many critical organizations-hospitals, airports, financial institutions-rely on this technology, yet it has rarely been attacked before. This novelty gives defenders little experience to draw on, increasing the risk of catastrophic disruptions.

Authorities on both sides of the Atlantic are sounding the alarm, urging organizations to patch known vulnerabilities and monitor for suspicious activity, especially in virtual infrastructure that may have flown under the radar until now.

As Akira’s wolfpack prowls new hunting grounds, their message to the defenders of critical systems is clear: nowhere is truly safe, and the overlooked corners of the digital world may now hold the greatest dangers. In this high-stakes game, vigilance and adaptability are the only shields.

WIKICROOK

  • Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
  • Hypervisor: A hypervisor is software that lets one server run multiple isolated virtual machines, each acting as an independent computer.
  • Exfiltration: Exfiltration is the unauthorized transfer of sensitive data from a victim’s network to an external system controlled by attackers.
  • Remote Management Tools: Remote Management Tools let IT staff access and control computers remotely for support and maintenance, but can be misused by hackers for stealthy access.
  • Indicators of Compromise (IoC): Indicators of Compromise (IoC) are signs, like strange files or network activity, that reveal a system has likely been attacked or compromised.