Akira ransomware Linux encryptor expands to Nutanix AHV VM disk encryption
Malware Activity
Summary
Hide ▲
Show ▼
The Akira ransomware operation has expanded its encryptor to Nutanix AHV VM disks, increasing the range of virtualized environments that can be encrypted during intrusions. The new behavior was first observed in a June 2025 incident and extends Akira beyond VMware ESXi and Hyper-V. Attackers reached those environments by abusing CVE-2024-40766 on SonicWall devices, while the encryptor directly targets .qcow2 virtual disk files.
Related Happenings
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisAbout this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
Kyber ransomware targeting Windows and VMware ESXi
Malware Activity
First: 22.04.2026 21:52
Last: 22.04.2026 21:52
Sources 1
About this happening:
**Kyber ransomware** is actively hitting **Windows** and **VMware ESXi** environments, using two variants that can encrypt files, datastores, and recovery paths. The activity rais...
Kyber ransomware targeting Windows and VMware ESXi
Malware ActivityAbout this happening: **Kyber ransomware** is actively hitting **Windows** and **VMware ESXi** environments, using two variants that can encrypt files, datastores, and recovery paths. The activity rais...
Akira group rapid double-extortion ransomware activity
Malware Activity
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityAbout this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware Activity
First: 18.02.2026 12:32
Last: 18.02.2026 12:32
Sources 1
About this happening:
**BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware ActivityAbout this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
Timeline
-
14.11.2025 00:32 2 articles · 6mo ago
Akira Nutanix AHV encryption warning
Initial DisclosureUS government agencies and international partners warned that Akira ransomware had expanded to encrypt Nutanix AHV virtual machines, with attackers first observed in a June 2025 incident abusing CVE-2024-40766 on SonicWall devices to encrypt .qcow2 VM disk files. The updated advisory also added indicators of compromise, noted tactics observed through FBI investigations and third-party reporting as recent as November 2025, and urged regular offline backups, enforced multifactor authentication, and rapid patching of known exploited vulnerabilities.
Show sources
- CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs — www.bleepingcomputer.com — 14.11.2025 00:32
- CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs — www.bleepingcomputer.com — 14.11.2025 00:32