Beyond Hyper-V and ESXi, Akira has also encrypted Nutanix VMs.
The bulletin that CISA dedicates to this ransomware was just updated to include this information… among other things.
The initial version dated from April 2024. A year and a half later, techniques have evolved across the board, from initial access to extortion. As for the encryption of Nutanix VMs*, it was observed in connection with a incident that occurred in June 2025. At the start of the attack chain, there appears to have been the CVE-2024-40766 flaw (faulty access control in SonicWall firewalls).
Initial access via Veeam
The April 2024 version mentioned initial access via VPNs without MFA. Essentially branded Cisco, it specified, with two vulnerabilities cited. One is located in the web interface of ASA (Adaptive Security Appliance) and the other in FTD (Firepower Threat Defense). The first (CVE-2020-3259) allows retrieving content from memory without authentication. The second (CVE-2023-20269) opens the door to brute-force attacks or to establishing SSL VPN sessions with an unauthorized user.
According to the updated bulletin, to which the OFAC (Office anti-cybercrime française) contributed, the initial access arsenal diversified. Notably, with:
- CVE-2020-3580, another vulnerability on the ASA/FTD web interface, enabling unauthenticated XSS
- CVE-2023-28252, flaw in the CLFS (Windows logging service used by programs running in user or kernel mode), used for privilege escalation
- CVE-2024-37085 (authentication bypass in ESXi via Active Directory)
- CVE-2023-27532 and CVE-2024-40711, both affecting Veeam Backup & Replication (the first allows exfiltration of encrypted credentials from the config database; the second opens the door to a RCE via deserialization of malicious data)
Zemana AntiMalware hijacked to stop antivirus
During the recon phase, the bulletin update adds few elements besides the use of nltest /dclist: and nltest /DOMAIN_TRUSTS.
Among the tools used by Akira affiliates are NetScan, Advanced IP Scanner, and SoftPerfect. Mimikatz and LaZagne are also used to harvest credentials.
The initial version noted the use of a legitimate tool (Zemana AntiMalware) to terminate antivirus-related processes.
The update adds the use of remote-access tools to establish persistence and blend in with admin activity, including AnyDesk and LogMeIn.
Virtual disk protection neutralized
The initial bulletin offered limited detail on how Akira affiliates gained privileges.
The update provides more, including the exploitation of services like Veeam.Backup.MountService.exe and the addition of new user accounts to the admin group.
It mentions an incident in which VMDK protection was bypassed by temporarily powering off the domain controller VM. The VMDKs were then copied and attached to a new VM. This allowed the NTDS.dit file and the SYSTEM hive (the logical hive of keys, subkeys and registry values) to be extracted, ultimately compromising a domain administrator account.
A hybrid and customizable encryption
A significant number of tools were used for data exfiltration. 7-zip and WinRAR are among them, as well as FileZilla, RClone and WinSCP.
To establish command-and-control channels, AnyDesk, Cloudflare Tunnels, MobaXterm, Ngrok and RustDesk were employed.
In some cases, only about two hours elapsed between initial access and exfiltration.
The encryption scheme used by Akira was largely established by April 2024. Hybrid in nature, it combines a cipher ChaCha20 and a public-key RSA system. The combination allows full or partial encryption, while tailoring it to the type and size of files.
To complicate recovery and forensic analysis, PowerShell commands are used to delete VSS copies.
Options to target only the VMs
The first version of Akira was written in C++. Its second incarnation, spotted in summer 2023, is written in Rust. It features an additional protection layer that complicates dynamic analysis, as well as thread management, improving the efficiency of the encryption process. It can also be deployed exclusively against VMs (vmonly parameter) and stop these VMs (stopvm).
Akira is associated with groups known as Gold Sahara, Howling Scorpius, Punk Spider and Storm-1567. It may have links to the now-defunct Conti.
* In a recent conference, Gartner predicted that by 2028, 35% of workloads VMware would have shifted to another platform. The firm suggested Nutanix as a primary consideration, not so much for price as for functional capabilities.
