🔍 TL;DR:

This article highlights the evolving ransomware threat Akira and how to protect critical backup infrastructure by:
🛡️ Treating backup systems as tier-0 assets, with consistent patching and hardening
☁️ Leveraging immutable, offsite backups in Veeam Data Cloud Vault for secure recovery
⚡ Using instant recovery to Azure and backup scanning to ensure fast, clean restoration

Data protection is no longer just about surviving natural disasters or hardware failures. Today, cyber attacks, malware, and ransomware drive recovery strategy. Backup systems alongside production infrastructure are both now a prime target. Organisations must assume that at some point, production systems will be compromised and plan accordingly.

CISA, the U.S. federal Cybersecurity and Infrastructure Security Agency, issued an advisory in April 2024 highlighting Akira ransomware group as a persistent, organized ransomware threat. The advisory outlines the gang’s tactics, initial access methods, and frequent exploitation of known vulnerabilities in different devices, systems, and software, including backup systems. More recently, back in November, CISA updated the advisory after reports of Akira actively attacking Nutanix environments. The update underscores the evolving threat and scope of Akira and reinforces the need for patching and hardening systems.

Who Is Akira?
Akira is a prolific and organized ransomware gang linked to numerous high-impact incidents across manufacturing, financial services, education, and critical infrastructure. Some publicly reported Akira attacks include breaches affecting universities, governments, industrial suppliers, and service providers often resulting in significant operational disruption and large-scale data exfiltration. Coveware by Veeam specializes in cyber incident readiness and response, helping organizations prepare, minimize damage, guide recovery, and ensure secure outcomes. Akira has consistently featured in Coveware’s reporting due to the group’s scale, sophistication, and frequency of attacks.

Why Akira Targets Backup Systems
The CISA alert highlights that Akira are exploiting old, known, and already remediated vulnerabilities disclosed and patched in Veeam. This problem isn’t unique to Veeam, every vendor has CVEs. What sets Veeam apart is transparency and proactivity: publishing fixes, guidance, and security hardening recommendations. Attackers don’t care how old a vulnerability is if it’s unpatched, it’s still an open door. Ultimately, the problem lies with unpatched or poorly hardened systems that give attackers an entry point into both production and backup environments.
Backup systems are a high-value target for ransomware gangs for two main reasons:

Access to privileged credentials: Backup systems often store production or privileged credentials required to perform backup and recovery tasks. By compromising the backup environment, attackers can extract privileged account information, giving them deeper access into production systems and increasing the impact of their attack.

Disruption of recovery efforts: If attackers compromise backups, they can hinder an organization’s ability to recover systems. This may involve deleting or corrupting backups, or even exfiltrating backup data as additional leverage for ransom. In essence, a compromised backup system increases the pressure on victims to pay, because recovery becomes more difficult or impossible without clean, secure backups.

For backup administrators, the lesson is straightforward: patch early, harden consistently, assume attackers will try to reach your backup infrastructure, and treat your backup platform as a tier-0 security asset.

Given these risks, organizations need solutions that not only protect backups but also enable rapid, trustworthy recovery. Veeam provides several features designed to do exactly that.

How Veeam Can Help
Modern data protection strategies assume that production systems may be compromised. The key goal is ensuring backups remain safe, recoverable, and trustworthy. Veeam provides a full suite of security features designed to protect against ransomware attacks like those mentioned in the advisory about Akira, even in environments such as Nutanix AHV.

Veeam Software Appliance (V13)
The new Veeam software appliance is hardened by default, delivered following DISA STIG hardening guidelines, and enforces security policies and a zero-trust architecture. This reduces the likelihood of backup system compromise, limiting attackers’ ability to exploit credentials or manipulate backups.

Immutable Backups in Veeam Data Cloud Vault
Storing backups offsite with immutability, encryption, and separation from production authentication is one of the strongest defences against ransomware. Veeam Data Cloud Vault fulfils this, providing a fully managed, isolated, and hardened backup repository that attackers cannot modify or delete. Because Vault is externally managed by Veeam, it remains out of reach even if an attacker gains admin-level access to Nutanix, VMware, or other on-prem platforms. This isolation ensures a secure offsite recovery point that stays intact during an attack. For organizations targeted by Akira, this means clean backup copies are always available, even in the worst-case scenario where both production and DR environments are compromised.

Instant Recovery to Azure
When a ransomware attack compromises hypervisors or management infrastructure, restoring back into the same environment is unsafe. Recovery must happen in a clean, uncompromised location where workloads can be validated without risk of reinfection. In these scenarios, Nutanix AHV VMs can be instantly recovered into Microsoft Azure using backups stored in Veeam Data Cloud Vault. This creates a clean-room recovery environment, ensuring infected production or DR systems remain isolated while workloads are safely brought online elsewhere. Veeam’s Instant Recovery technology can recover and power on VMs to Azure in as little as six minutes per VM, dramatically reducing downtime when every second counts. Organisations can validate workloads in Azure before returning them to production, enabling fast, controlled recovery even during severe compromise of on-prem infrastructure.

Backup Scanning and Incident Response
When you need to recover, you need to recover fast. Scanning existing backups to find the last safe, clean restore point is critical during a ransomware attack. Veeam provides built-in scanning capabilities to detect threats early and support rapid recovery. Inline backup scanning inspects backup data as it is created, looking for the likes of ransomware notes, in-guest encryption, or other suspicious activity. Existing backups can also be scanned for indicators of compromise, such as malware, encryption, or known attack tools, helping administrators quickly identify the last safe restore point.

In addition, the Veeam Incident API enables external security tools to trigger immediate backups or perform backup scanning when a threat is detected. This ensures a secure restore point exists even if an attack is actively spreading.

Tools that can integrate with the Incident API include security orchestration and response platforms such as Palo Alto Cortex XSOAR, Microsoft Sentinel, or network detection solutions like Progress Flowmon . When these tools detect suspicious activity or ransomware-like behavior, they can trigger Veeam to create or scan a backup ensuring integrity before the attack progresses.

Attacks like this are a reminder that data protection isn’t just about ticking boxes. It’s about expecting the unexpected, whether that’s a cyclone taking out a DC or a ransomware crew quietly working their way through your virtual environment. Akira’s shift toward Nutanix environments shows how quickly the threat landscape can move, and it reinforces that ransomware isn’t slowing down. The methods, the attack paths, and the systems being targeted continue to expand.

This is why having layered security, immutable backups and a clean, isolated environment to restore into matters. having this makes it possible for organisations to keep operating after an attack instead of becoming another cautionary tale.

The tools are there. The guidance is there.

It’s up to us as backup and infrastructure people to put them into practice before an incident forces the issue.