incident
Akira Ransomware Bypasses EDR by Launching Unmonitored VMs on Hyper-V HostsAkira ransomware VM-based EDR bypass
The Akira ransomware group has been observed deploying ransomware from newly created, unmonitored virtual machines on Windows Hyper-V hosts to evade endpoint detection and response (EDR) tools. This technique allows attackers to encrypt virtual disk files while bypassing security controls that are not installed on the attacker-created VMs. The group also attempted to use the open-source Terminator BYOVD tool to disable EDR, but it was detected and blocked.