Akira Ransomware-as-a-Service Campaign Actively Targeting Nutanix Virtual Machines in Critical Organizations

The emergence of the Akira Ransomware-as-a-Service (RaaS) operation has introduced a significant threat to organizations leveraging Nutanix Virtual Machines (VMs). Recent intelligence indicates that the Akira threat group has expanded its targeting scope to include Nutanix environments, exploiting virtualization infrastructure to maximize operational disruption and ransom leverage. This campaign is particularly concerning for critical infrastructure, healthcare, finance, and government sectors, where Nutanix is widely deployed for its scalability and high availability. The attack methodology leverages advanced lateral movement, credential harvesting, and direct targeting of virtualized storage, resulting in the rapid encryption of mission-critical workloads. This advisory provides a comprehensive technical analysis of the Akira campaign, its tactics, techniques, and procedures (TTPs), observed exploitation in the wild, victimology, and actionable mitigation strategies.

Akira is a sophisticated RaaS collective that surfaced in early 2023, rapidly gaining notoriety for its double-extortion tactics and focus on high-value enterprise targets. The group operates a classic affiliate model, providing ransomware payloads and infrastructure to vetted partners in exchange for a share of ransom proceeds. Akira affiliates are known for their technical proficiency, leveraging a blend of custom malware, living-off-the-land binaries (LOLBins), and…