According to Infosecurity Magazine, the Akira ransomware operation has become a financial powerhouse, pulling in a staggering $244.17 million in illicit proceeds since late September 2025. US government agencies and international partners revealed in a November 14 advisory that these criminals can exfiltrate data in just over two hours from initial access. In a major tactical shift this June, they started encrypting Nutanix AHV virtual machine disk files, moving beyond their usual VMware ESXi and Hyper-V targets. They’re exploiting SonicWall vulnerability CVE-2024-40766 even on patched devices and using everything from stolen VPN credentials to brute-force attacks. The group leverages tools like AnyDesk, LogMeIn, and Impacket to maintain persistence while disabling EDR systems, and they’re now appending encrypted files with extensions like .akira, .powerranges, or the newer .akiranew and .aki.
Why this matters
Here’s the thing – we’re not talking about some amateur operation anymore. Akira has basically become a well-oiled criminal enterprise that’s evolving faster than many organizations can defend. They’re hitting $244 million in just two months? That’s serious business money. And the fact they’re now targeting Nutanix environments shows they’re keeping up with enterprise technology trends. But what really worries me is how they’re still exploiting vulnerabilities that should have been patched. SonicWall issued warnings about this months ago, yet organizations are still getting hit. It makes you wonder – are companies just not taking these threats seriously enough, or is the patching process fundamentally broken?
The industrial angle
Now here’s where it gets particularly concerning for industrial operations. When ransomware groups start targeting virtualization platforms and backup systems, that’s a direct threat to manufacturing and industrial control environments. Many industrial facilities rely on these exact technologies to keep their operations running smoothly. The fact that Akira is going after Veeam Backup and Replication components means they’re targeting the very systems companies use for disaster recovery. For industrial operations using rugged computing equipment, this is especially problematic. Companies like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, have been emphasizing the importance of secure industrial computing infrastructure, but this Akira situation shows the threat goes way beyond just the hardware level.
What companies should do
So what’s the actual defense here? The joint advisory points to basic security hygiene that somehow still isn’t happening everywhere. Multi-factor authentication, timely patching, monitoring for unusual network activity – these aren’t new concepts. But Akira is exploiting the gaps in exactly these areas. They’re using tunneling tools like Ngrok to evade perimeter monitoring and PowerShell scripts to disable security services. The scary part is how they blend in with normal admin activity. If your IT team can’t distinguish between legitimate administrative work and criminal activity, you’re already in trouble. The government’s #StopRansomware initiative and their detailed advisory provide concrete steps, but honestly, at this point, if you’re not treating every external connection as potentially hostile, you’re playing with fire.
