Akira Ransomware Targets Nutanix AHV Hypervisors in New Wave of Virtual Infrastructure Attacks

By Ash K
Akira Ransomware Targets Nutanix AHV Hypervisors in New Wave of Virtual Infrastructure Attacks

The Akira ransomware group has expanded its operations by targeting Nutanix AHV hypervisors, marking a significant escalation in attacks on virtualized infrastructure. The campaign focuses on compromising the underlying virtualization layer rather than individual servers, giving attackers the ability to disrupt or encrypt entire virtual environments within minutes.

How the attack works

Akira operators are exploiting weak administrative credentials and exposed management interfaces to gain initial access to Nutanix environments. Once inside, the threat actors move laterally toward the AHV hypervisor layer, where they deploy malicious scripts designed to shut down running virtual machines and encrypt associated disk files.

Researchers note that this approach mirrors previous campaigns that targeted VMware ESXi servers. By focusing on hypervisors, attackers can take dozens of systems offline with a single action, increasing operational impact and ransom leverage.

Techniques used by the attackers

Akira continues to rely on credential theft, misuse of remote access tools and exploitation of weak security configurations. When targeting Nutanix AHV, the group performs:

  • Brute force attacks against Prism Central and Prism Element management interfaces.
  • Lateral movement using SSH keys and stolen administrator passwords.
  • Shutdown of virtual machines to ensure clean encryption of vDisks.
  • Deployment of custom scripts to encrypt VM disk images and configuration files.
  • Extraction of authentication tokens and configuration details prior to ransomware deployment.

By compromising the hypervisor directly, Akira gains access to all virtual workloads hosted on the affected clusters, including databases, application servers and domain controllers.

Impact on victims

Organizations impacted by the new campaign have reported large scale outages in critical environments. Once the hypervisor is compromised, virtual machines become unavailable and restoring them requires clean snapshots or offsite backups.

In several cases, Akira operators claim to have exfiltrated corporate data prior to encryption. Stolen information is used to pressure victims into paying both data extortion and decryption demands.

Nutanix response and security guidance

Nutanix has issued an advisory urging customers to secure their AHV management interfaces, enforce multifactor authentication and review administrator account usage. The company also recommends hardening Prism services, restricting remote access and applying recent security updates.

Security teams are advised to monitor for unusual login activity, unexpected VM shutdowns and unauthorized script execution on AHV hosts. Early detection of lateral movement is critical because once attackers reach the hypervisor, containment becomes significantly more difficult.

What defenders should do now

To mitigate the risk of Akira attacks on Nutanix AHV environments, organizations should:

  • Enforce MFA and disable unused administrator accounts.
  • Restrict Prism interface access to internal networks or VPN connections.
  • Monitor for failed authentication attempts and unusual access patterns.
  • Deploy EDR solutions across management hosts and jump servers.
  • Maintain offline or immutable backups of critical VM disk images.
  • Harden SSH configurations and rotate all credentials regularly.

The expansion of Akira ransomware into the Nutanix AHV ecosystem signals a broader trend of attackers targeting virtual infrastructure as a high value foothold. As virtualization continues to underpin mission critical workloads, securing hypervisors must be treated as a top priority for enterprise defenders.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.