Akira Ransomware’s Shift to Nutanix AHV: Tactics, Tools, and Mitigation

Akira Ransomware’s Shift to Nutanix AHV: Tactics, Tools, and Mitigation

Alex Cipher's Profile Pictire Alex Cipher 5 min read

Akira ransomware has taken a bold leap, shifting its focus from familiar targets like VMware ESXi and Hyper-V to the Nutanix AHV virtual environment—a move that signals both technical evolution and a growing threat to enterprise infrastructure. By exploiting vulnerabilities such as CVE-2024-40766 in SonicWall firewalls, Akira actors have demonstrated their knack for finding and abusing weak spots in widely used systems. Their tactics go beyond simple encryption: leveraging stolen credentials, exploiting backup solutions, and using tools like AnyDesk and Impacket, they orchestrate attacks that are as swift as they are sophisticated. The speed at which data is exfiltrated—sometimes in under two hours—underscores the urgency for organizations to rethink their defenses. As ransomware groups like Akira adapt, so too must the strategies to defend against them, making this a critical moment for IT and security teams to stay ahead of the curve (BleepingComputer, 2024).

Akira Ransomware Targeting Nutanix AHV VMs: Tactics, Tools, and Mitigation

Exploitation of Vulnerabilities

Akira ransomware has expanded its operations to target Nutanix AHV virtual machines by exploiting specific vulnerabilities. The ransomware actors have been observed abusing the CVE-2024-40766 vulnerability in SonicWall firewalls, which is classified under Common Weakness Enumeration (CWE)-284: Improper Access Control. This vulnerability allows unauthorized access to systems, enabling the ransomware to infiltrate networks and encrypt critical virtual machine disk files. The focus on Nutanix AHV marks a strategic shift from Akira’s previous targets, such as VMware ESXi and Hyper-V, indicating an evolution in their attack vectors.

Attack Methodology and Tools

The Akira ransomware group employs a variety of tools and techniques to execute their attacks on Nutanix AHV environments. Unlike their approach with VMware ESXi, where they use esxcli and vim-cmd to gracefully shut down virtual machines before encryption, Akira actors directly encrypt the .qcow2 files used by Nutanix AHV without utilizing the platform’s acli or ncli commands. This direct encryption approach suggests a more aggressive tactic, likely due to the absence of specific tools for Nutanix AHV.

In addition to exploiting vulnerabilities, Akira affiliates commonly use stolen or brute-forced VPN and SSH credentials to gain initial access to networks. Once inside, they exploit other vulnerabilities, such as CVE-2023-27532 and CVE-2024-40711, on unpatched Veeam Backup & Replication servers to compromise backup solutions and delete backups, further solidifying their hold on the victim’s data.

Lateral Movement and Persistence

Once inside a network, Akira ransomware actors employ several utilities to perform reconnaissance, spread laterally, and establish persistence. Tools such as nltest, AnyDesk, LogMeIn, and Impacket’s wmiexec.py are used to gather information about the network and move between systems. Additionally, VB scripts are utilized to automate tasks and maintain a foothold within the compromised environment.

The attackers are known to remove endpoint detection tools and create new administrative accounts to ensure continued access. In one notable incident, they powered down a domain controller VM, copied its VMDK files, attached them to a new VM, and extracted the NTDS.dit file and SYSTEM hive to obtain a domain administrator account. This sophisticated approach highlights their technical expertise and ability to manipulate virtual environments to their advantage.

Data Exfiltration and Command-and-Control

Data exfiltration is a critical component of Akira’s operations, often occurring within a short timeframe. In some cases, data has been exfiltrated in as little as two hours, underscoring the efficiency and speed of their attacks. For command-and-control, Akira actors rely on tunneling tools such as Ngrok to establish encrypted channels that bypass perimeter monitoring. This tactic allows them to maintain communication with compromised systems without detection, facilitating ongoing operations and data theft.

Mitigation Strategies

To defend against Akira ransomware attacks, organizations are advised to implement several mitigation strategies. Regular offline backups are crucial to ensure data recovery in the event of an attack. Enforcing multifactor authentication (MFA) can prevent unauthorized access through compromised credentials, adding an additional layer of security.

Quick patching of known vulnerabilities, particularly those exploited by Akira, is essential to reduce the attack surface. Organizations should prioritize patching vulnerabilities such as CVE-2024-40766, CVE-2023-27532, and CVE-2024-40711 to prevent exploitation.

Additionally, organizations should conduct regular security audits and penetration testing to identify and address potential weaknesses in their networks. Implementing robust network segmentation can limit the lateral movement of attackers, containing the impact of a breach. Finally, educating employees about phishing and social engineering tactics can reduce the risk of initial compromise through human error.

By adopting these comprehensive mitigation strategies, organizations can enhance their resilience against Akira ransomware and other similar threats, safeguarding their critical infrastructure and data.

Final Thoughts

Akira’s pivot to targeting Nutanix AHV VMs is more than just a technical footnote—it’s a wake-up call for organizations relying on virtualized infrastructure. The group’s aggressive tactics, from direct encryption of VM disk files to rapid data exfiltration using encrypted tunnels, highlight the need for layered security and rapid response capabilities. Regular patching, robust backups, and employee education are no longer optional—they’re essential. As attackers continue to innovate, defenders must match their pace, leveraging threat intelligence and proactive security measures to safeguard critical assets. Staying informed about emerging threats and adapting quickly is the best defense against ransomware’s ever-changing playbook (BleepingComputer, 2024).

References

Related Articles