CISA/Europol Warn: Akira Ransomware Profits Hit $244M, Group Expands to Encrypt Nutanix AHV VMs

The United States Cybersecurity and Infrastructure Security Agency (CISA), alongside a coalition of global law-enforcement and cybersecurity organizations, has issued a warning about the rapidly evolving Akira ransomware threat. The newly updated joint advisory—part of the #StopRansomware initiative—details the gang’s expanded capabilities, refined tactics, and increasing impact across critical sectors worldwide.

Originally published in April 2024 and updated on November 13, 2025, the advisory highlights “new Akira ransomware activity that presents an imminent threat to critical infrastructure,” noting that fresh insights are drawn from investigations as recent as November 2025.

According to the document, the advisory is co-authored by a wide consortium including the FBI, CISA, the Department of Defense Cyber Crime Center (DC3), the U.S. Department of Health and Human Services (HHS), Europol EC3, French OFAC, German Cybercrime-Zentrum and LKA Baden-Württemberg, and the Netherlands’ NCSC-NL.

While Akira initially focused on smaller companies, it has since widened its scope dramatically. The advisory states that Akira has targeted organizations across manufacturing, education, IT, healthcare, financial services, and food and agriculture, showing a clear pivot toward high-value sectors.

Since its emergence in March 2023, Akira has impacted organizations across North America, Europe, and Australia, rapidly carving out territory in the global ransomware ecosystem.

A new figure appears in the advisory, “As of late September 2025, Akira ransomware has claimed approximately $244.17 million (USD) in ransomware proceeds.” This financial milestone cements Akira among the most lucrative and destructive ransomware operations currently active.

One of the headline revelations is Akira’s expansion into additional virtualization platforms. In June 2025, the group carried out its first successful encryption of Nutanix AHV virtual machine disk files, made possible by exploiting a SonicWall vulnerability (CVE-2024-40766). This shift dramatically widens the potential impact of future attacks.

Akira continues to refine its ransomware payloads. According to the bulletin, the group uses a hybrid encryption scheme combining ChaCha20 and RSA, enabling fast and secure file locking at scale. Encrypted files are appended with a .akira or .powerranges extension.

With the emergence of the Akira_v2 encryptor, the gang introduced additional extensions such as .akiranew and .aki, reflecting ongoing toolchain evolution.

Akira’s operational tempo has accelerated sharply. The advisory reveals, “In some incidents, Akira threat actors exfiltrated data in just over two hours from initial access.”

This means many organizations may not detect the intrusion until long after the attackers have already stolen and encrypted critical data.

Akira frequently enters networks by abusing unprotected or vulnerable VPN services—often those lacking MFA. They rely extensively on Cisco VPN vulnerabilities, including CVE-2020-3259, CVE-2023-20269, and the recently included CVE-2020-3580.

Newer intrusions show an expansion to SonicWall and Veeam vulnerabilities, and increasingly rely on password-spraying, brute forcing, and SSH exploitation.

The advisory lists more than two dozen tools leveraged by Akira, spanning legitimate IT software, tunneling frameworks, password recovery utilities, and malware loaders. Among them:

• AnyDesk and LogMeIn for persistence and lateral movement
• RClone, WinRAR, WinSCP, FileZilla for data collection and exfiltration
• Ngrok for encrypted C2 tunneling
• Mimikatz, LaZagne, SharpDomainSpray for credential theft
• Cobalt Strike & SystemBC for remote access and post-exploitation

CISA warns that many of these tools are legitimate applications repurposed for malicious operations and should not be considered malicious without supporting evidence.

As with most modern ransomware groups, Akira uses a double-extortion model, encrypting systems while also stealing sensitive data and threatening public release.

“Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies.”

CISA and global partners urge all organizations to take urgent steps to mitigate the threat, including:

• Enable phishing-resistant MFA
• Patch known exploited vulnerabilities
• Maintain offline, tested backups
• Segment networks to hinder lateral movement
• Deploy EDR and monitor for abnormal activity

Related Posts:

• Akira Ransomware Adapts to Target Linux and VMware ESXi Servers
• Akira Ransomware: The New Threat Targeting Windows & Linux
• Akira Ransomware Exploits SonicWall VPN Accounts With Lightning-Fast Intrusions
• Akira Ransomware Now Uses APT-Style Tactics to Breach Corporate Networks
• Urgent Zero-Day Warning: SonicWall VPNs Under Attack, Akira Ransomware Deployed Within Hours