
Key Takeaways:
• Akira has evolved from targeting VPNs and VMware to encrypting Nutanix AHV virtual machines, according to new government and industry research.
• The group operates as ransomware as a service, has hit more than 250 organizations, and is believed to have collected more than two hundred million dollars in ransom payments.
• Victims span energy, manufacturing, education, IT services, healthcare, financial services, and public institutions.
• Initial access often comes through vulnerable or misconfigured VPNs and firewalls and then pivots to backup systems and virtualized environments.
• Strong patching, multifactor authentication, backup hygiene, and partnerships with capable MSPs or MSSPs are increasingly essential.
Akira’s rapid development from a relatively new ransomware family into one of the most active groups operating today highlights how fast the threat landscape can shift. First identified in 2023, Akira initially focused on organizations with exposed VPN services, limited multifactor authentication, and weak segmentation. Over time the group expanded its capabilities, including variants written in Rust, and adapted its targeting strategy to focus on the virtualization layers that run many core business systems. The result is a threat that combines technical sophistication with a business model that encourages high-volume attacks across a wide range of industries.
Government agencies and security researchers have recently confirmed that Akira affiliates are now capable of encrypting Nutanix AHV virtual machines. This adds another widely used virtualization platform to a list that already includes VMware ESXi and Microsoft Hyper-V. Security teams have long warned that virtualized environments are attractive targets because of the concentration of workloads, and Akira’s shift into this domain reinforces that concern. In parallel, updated reporting shows that Akira has already earned hundreds of millions of dollars in ransom payments since its launch, a clear sign of how frequently the group is active and how effective its affiliates have become.
Public reports list more than 250 known victims. These include energy companies, manufacturing firms, universities, municipalities, financial services companies, healthcare organizations, IT service providers, agricultural firms, and retail and entertainment businesses. Incidents linked to Akira have disrupted payroll systems, cloud services, zoo operations, radio communications, and local government services. In several cases the impact extended well beyond the initially compromised organization, affecting downstream customers and partner ecosystems.
This pattern fits with what investigators describe as Akira’s focus on the vulnerable middle of the market. The group tends to target firms that are large enough to generate significant disruptions and ransom demands, but not so large that they operate fully mature security programs. Regional service providers, mid-market companies, schools, and local governments often fall into this category. When these organizations are compromised, it can trigger cascading effects because they frequently provide digital services to multiple external clients, increasing the overall severity of each event.
The development of Akira’s ability to target Nutanix AHV is particularly important because Nutanix is widely deployed in data centers and hybrid cloud environments. Previous incidents show that Akira’s Linux-based encryptor is now able to locate and encrypt the virtual disk files used in Nutanix AHV. While its tooling for Nutanix may still be less polished than what it uses for ESXi, the capability is already operational and has been observed in multiple incidents. This suggests that Akira will continue refining its methods to more reliably disrupt Nutanix environments.
Akira’s attack chain is now well understood. The group frequently gains initial access by exploiting known vulnerabilities in VPN appliances, firewalls, and backup management systems. Vulnerabilities in devices from major vendors have been repeatedly abused to gain a foothold. Affiliates often take advantage of missing multifactor authentication, outdated firmware, reused credentials, and exposed administrative interfaces. They also use stolen VPN and SSH credentials from initial access brokers.
Once inside, attackers create new administrative accounts to ensure persistence. They deploy tools for credential theft, network scanning, and remote control. This often includes software such as commercial remote access tools, command line utilities, and open source credential harvesters. They disable endpoint security products to reduce the chance of being detected, then spread laterally through the environment until they reach key infrastructure systems. Backup servers and virtualization hosts are common targets because controlling these systems allows rapid disruption with maximum effect.
A core element of Akira’s strategy is its focus on backup environments. Affiliates search for Veeam servers and other backup management systems, then attempt to locate and delete or corrupt stored backups before encryption begins. This prevents organizations from restoring quickly and increases the likelihood of ransom payment. In many cases the attackers exfiltrate data through cloud storage services, tunneling tools, or file transfer software before encryption. The exfiltration stage sometimes happens surprisingly quickly, with some incidents showing major data theft only hours after initial access.
When Akira begins the encryption process, it uses tailored variants for Windows, Linux, and virtualization platforms. The group has been seen shutting down virtual machines cleanly before encrypting their underlying disk files in VMware environments. In Nutanix environments, current activity shows direct encryption of core virtual disk files even without orchestrating a full shutdown. Encrypted files typically receive extensions associated with the Akira family, and ransom notes are left in directories across the compromised systems.
Security experts generally advise against paying ransoms because payment does not guarantee decryption, nor does it ensure stolen data will not be leaked. In some previous cases, decryptors have been released for early versions of Akira, but those tools do not work against every variant, especially the newer Rust-based strains. As Akira continues to evolve, recovering data without backups becomes increasingly difficult for many organizations.
Defending against Akira requires renewed focus on fundamentals that often fall behind due to staffing limitations. High priority measures include patching edge infrastructure, enforcing multifactor authentication across all access points, and disabling unnecessary remote access services. Backup environments must be segmented, access should be tightly controlled, and offline or immutable copies should be maintained. Virtualization management networks should be isolated from general user networks, monitored for suspicious activity, and protected with dedicated credentials.
Detection efforts should include monitoring for new administrative accounts, installation of unauthorized remote access tools, unusual data transfers from backup servers and hypervisors, and repeated authentication attempts against VPN or cloud interfaces. Incident response plans should be regularly tested, with special attention to recovering virtualized workloads and verifying the integrity of backups after a simulated attack.
For many mid-sized organizations, maintaining the level of security skill required to defend against groups like Akira can be challenging. This is where outside expertise becomes essential.
Consider a top MSP or IT service provider such as Apex Technology Services or even an MSSP to help you stay secure. It is a very dangerous world and the specialization these organizations can provide means they are often up to date on the latest attack vectors. Increasingly, companies are one cyberattack away from shutting down. Make sure you work with qualified people before an attack happens to your organization.