The Akira ransomware group has expanded its operations by developing a new Linux encryptor specifically designed to target Nutanix virtual machines. This development was identified by researchers at the cybersecurity firm Arctic Wolf, highlighting a significant shift in the group’s tactics to focus on enterprise-grade virtualization platforms.

Since its emergence in March 2023, the Akira ransomware operation has successfully extorted over $42 million from more than 250 victims. The group primarily targets small and medium-sized businesses across a range of industries, leveraging this new tool to compromise valuable virtual environments.

Targeting Virtualization Infrastructure

The Linux variant of the Akira ransomware is engineered to attack ESXi servers, which are commonly used in enterprise data centers. The encryptor is specifically configured to target Nutanix Prism, a centralized management solution for Nutanix’s virtualized infrastructure. By compromising Prism, the attackers can gain control over and encrypt the virtual machines managed by the platform.

Analysis of the malware shows it uses specific command-line arguments to execute its functions. These commands allow the attackers to define the encryption path, specify the percentage of a file to encrypt for speed, and point to network shares. Before initiating the encryption process, the ransomware is programmed to terminate running virtual machine processes to ensure the virtual disk files are accessible for encryption.

Operational Impact and Extortion

The deployment of this specialized Linux encryptor has enabled Akira to execute highly effective attacks against organizations using Nutanix virtualization solutions. The group’s success is quantified by the substantial ransoms collected since it began operations. The focus on virtual machines is a strategic decision, as these systems often contain critical business data and applications, increasing the pressure on victims to pay the ransom demand.