Overview
- The joint advisory from CISA, the FBI, DoD DC3, HHS and international partners provides fresh indicators of compromise and observations current through November 2025.
- Authorities attribute roughly $244.17 million in illicit proceeds to Akira as of late September 2025, with the FBI ranking it among its top five ransomware variants under investigation.
- Investigators confirm Akira expanded in June 2025 to encrypt Nutanix AHV virtual machine disk files (.qcow2), extending beyond earlier focus on VMware ESXi and Hyper‑V.
- The group exploits multiple flaws—including SonicWall CVE‑2024‑40766 and Veeam CVE‑2023‑27532/CVE‑2024‑40711—gains access via stolen or brute‑forced VPN/SSH credentials, and abuses tools such as AnyDesk, LogMeIn, Impacket and Ngrok while removing EDR and creating admin accounts.
- The advisory notes data theft can occur in just over two hours and urges immediate mitigations including rapid patching of known exploited vulnerabilities, phishing‑resistant MFA, offline-tested backups and network segmentation.