The Akira ransomware group successfully compromised Nutanix AHV (Acropolis Hypervisor) virtual machines in June 2025 by exploiting CVE-2024-40766, a critical SonicWall vulnerability. This marked a dangerous expansion of their attack surface beyond VMware ESXi and Hyper-V environments. The breach involved rapid data exfiltration (as fast as two hours post-intrusion) and deployment of the Akira_v2 ransomware variant, which encrypted VM disk files, rendering critical infrastructure inoperable. The attack disrupted business operations, potentially halting production, service delivery, or data access for affected organizations. Given Nutanix’s role in enterprise cloud, hybrid, and hyperconverged infrastructure, the compromise threatened operational continuity, customer trust, and financial stability. The double-extortion model—combining encryption with threats to leak sensitive data—amplified the pressure on victims, with ransom demands escalating alongside the $244.17 million already extorted by Akira globally. The incident underscored vulnerabilities in unpatched systems, weak authentication (lack of MFA), and lateral movement risks via tools like Mimikatz and RDP abuse.

The Akira ransomware group exploited CVE-2024-40766 (a critical 9.6/10 severity flaw in SonicWall firewalls) to gain unauthorized access to Nutanix AHV virtualization environments. Once inside, attackers abused additional vulnerabilities (CVE-2023-27532 or CVE-2024-40711) in unpatched Veeam Backup & Replication servers to move laterally using legitimate remote tools like AnyDesk or LogMeIn. The attack resulted in the encryption of Nutanix AHV VM disk files, deletion of backups, and widespread operational disruption. As of September 2025, Akira had extorted over $240 million from victims, with at least 30 organizations breached via this method. The attack forced companies to halt VM operations, risking prolonged downtime, data loss, and financial extortion. CISA and DC3 warned of the campaign’s severity, urging immediate patching, MFA enforcement, and endpoint hardening to mitigate further damage. The incident underscores the growing threat of ransomware targeting virtualization platforms, where successful encryption can cripple entire IT infrastructures.