US government agencies are warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks.
An updated joint advisory from CISA, the FBI, the Department of Defense Cyber Crime Center (DC3), the Department of Health and Human Services (HHS), and several international partners alerts that Akira ransomware has expanded its encryption capabilities Nutanix AHV VM disk files.
The advisory includes new indicators of compromise and tactics observed through FBI investigations and third-party reporting as recent as November 2025.
Encrypting Nutanix VMs in attacks
The advisory warns that in June 2025 Akira actors started to encrypt disk files for Nutanix AHV virtual machines.
"In a June 2025 incident, Akira threat actors encrypted Nutanix AHV VM disk files for the first time, expanding their capabilities beyond VMware ESXi and Hyper-V by abusing Common Vulnerabilities and Exposures (CVE)-2024-40766 [Common Weakness Enumeration (CWE)-284: Improper Access Control], a SonicWall vulnerability," reads the updated advisory.
Nutanix's AHV platform is a Linux-based virtualization solution that runs and manages virtual machines on Nutanix's infrastructure.
As it is widely deployed, it is no surprise that ransomware gangs would begin to target virtual machines on this platform, as they do with VMware ESXi and Hyper-V.
While CISA has not shared how Akira is targeting Nutanix AHV environments, Akira Linux encryptors analyzed by BleepingComputer attempt to encrypt files with the .qcow2 extension, which is the virtual disk format used by Nutanix AHV.
However, the .qcow2 file extension has been targeted by Akira Linux encryptors since at least the end of 2024.
... continue reading