The Akira ransomware-as-a-service (RaaS) group has been identified in a campaign specifically targeting organizations that use Nutanix virtual machine (VM) infrastructure. Security researchers at Cisco Talos reported on the group’s activities, which involve a multi-stage attack to gain access, exfiltrate data, and ultimately encrypt critical virtualized systems.

The threat actors’ primary method for initial access involves exploiting vulnerable Cisco AnyConnect SSL VPN services. By using stolen credentials against VPNs that lack multi-factor authentication, the Akira group gains a foothold within a target’s network. This approach has been observed as a consistent entry point for this specific campaign.

Lateral Movement and Targeting of Nutanix Prism

Once inside the network, the attackers use remote access software, including AnyDesk and RustDesk, to maintain persistence and navigate the compromised environment. Their reconnaissance activities focus on identifying high-value targets, with a specific emphasis on the Nutanix Prism management platform. Nutanix Prism is the central control plane for managing Nutanix virtualized environments, making it a critical asset.

The Akira operators use their access to interact with the Nutanix infrastructure, leading to the exfiltration of sensitive data from Nutanix Era databases. This data theft precedes the final stage of the attack, which is the deployment of the ransomware payload.

Ransomware Deployment on Virtual Machines

After exfiltrating data, the threat actors deploy a Rust-based variant of the Akira ransomware. The ransomware is executed to encrypt the Nutanix virtual machines, disrupting business operations and holding the victim’s data hostage. The attack pattern demonstrates a clear intent to target backup and database platforms within virtualized infrastructure, aiming to inflict maximum damage and increase the likelihood of a ransom payment.