By
Publication Date: 2025-11-14 15:00:00
- Akira now encrypts Nutanix AHV VM disk files using SonicWall and Veeam vulnerabilities
- CVE-2024-40766 enabled access to firewalls; Akira used remote tools for lateral movement
- Akira has extorted over $240 million; users urged to patch and enforce MFA
The Akira ransomware operation is now also targeting Nutanix AHV VM disk files, and seeing considerable success, an updated security advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Crime Center (DC3), and other agencies has said.
The update states Akira was observed encrypting Nutanix AHV VM disk files for the first time, in June 2025.
In the attack, the threat actors abused an improper access control vulnerability in the SonicWall SonicOS.
No surprises
This bug, tracked as CVE-2024-40766, and given a severity score of 9.6/10 (critical), grants unauthorized attackers access to different resources, leading to firewall crashes.
It affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions, and was fixed in August 2024.
After gaining access, Akira would abuse CVE-2023-27532 or CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers, and deploy legitimate tools such as AnyDesk or LogeMeIn for lateral movement and deleting company backups.
Akira has been filling headlines with CVE-2024-40766 before, since it was used to successfully breach at least 30 organizations. In…
