Akira Ransomware Expands Targets to Nutanix AHV in Critical Sectors The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI and European law enforcement, has issued an updated advisory on the Akira ransomware operation, warning of its evolving tactics and heightened threat to critical infrastructure. The group has now added Nutanix AHV virtual machines to its list of targets, alongside previously exploited platforms like VMware ESXi and Hyper-V. First detected in June 2025, Akira’s attacks on Nutanix hypervisors widely used in healthcare, finance, and government sectors were confirmed as recently as November 2025. The group, linked to Russian cybercriminals, has amassed $244.17 million in ransom payments and increasingly targets manufacturing, education, IT, healthcare, financial services, and food/agriculture sectors, despite its historical focus on small and medium businesses. Akira affiliates gain initial access through multiple vectors, including: - Exploiting CVE-2024-40766, a critical SonicWall SSL-VPN vulnerability affecting over 438,000 exposed devices (per BitSight research). - Compromised VPN credentials, brute-force attacks, or password spraying (e.g., using SharpDomainSpray). - Exploiting SSH on routers or unpatched Veeam Backup servers (CVE-2023-27532, CVE-2024-40711). Once inside, attackers move laterally to Nutanix AHV platforms, deploying encryption payloads that risk exposing business-critical and sensitive data. Notably, Akira has bypassed multi-factor authentication (MFA) in some attacks by compromising one-time password seeds or generating fraudulent tokens. The advisory includes updated indicators of compromise (IOCs) and mitigation strategies, though core defenses remain consistent: patching vulnerabilities, enforcing MFA, strong password policies, network segmentation, and maintaining secure backups. Akira, an offshoot of the defunct Conti ransomware group, emerged in 2023 and has since claimed high-profile victims, including Lush, Stanford University, Tietoevry, and the Toronto Zoo. Its expansion to Nutanix AHV signals a sophisticated, adaptive threat requiring heightened vigilance across critical sectors.

Lush, the well-known cosmetics retail chain, has become the focus of a cyberattack, and a thorough investigation is currently underway. In 2011, the store faced a hacking incident leading to the temporary suspension of their website and online sales. A representative from Lush is collaborating with law enforcement and external IT forensic specialists to address and resolve the current issue.