Threat Report

BERT RANSOMWARE GROUP A newly emerged ransomware group targeting organizations across Asia and Europe since April.

Threat Overview

The BERT Ransomware Group has recently emerged as a significant threat, targeting various sectors including healthcare, technology, and event services in both Asia and Europe. This group employs simple yet effective code to execute their attacks on multiple platforms, specifically Windows and Linux systems. Their tactics include using PowerShell-based loaders for initial infection, privilege escalation techniques, and concurrent file encryption to maximize impact.

On Linux systems, BERT’s ransomware can support up to 50 threads for rapid encryption, making it particularly dangerous for environments relying on virtual machines like ESXi. The group also disables security features, terminates specific processes, and uses standard encryption algorithms to ensure their operations remain undetected as long as possible.

Detailed Analysis

The BERT Ransomware Group’s activities have been observed since April 2025, with a focus on sectors that are critical to daily operations. Their ransomware operates on both Windows and Linux platforms, demonstrating versatility and a deep understanding of different operating systems.

The group uses PowerShell-based loaders for initial infection, which allows them to execute malicious code without raising immediate suspicion. Once inside the system, they employ privilege escalation techniques to gain higher-level access, enabling them to perform more damaging actions. Concurrent file encryption is used to encrypt files across multiple systems simultaneously, increasing the impact of their attacks.

On Linux systems, BERT’s ransomware can support up to 50 threads for fast encryption. This capability allows them to quickly encrypt large volumes of data, making it difficult for organizations to recover without paying the ransom. Additionally, the ransomware can forcibly shut down ESXi virtual machines, causing significant disruption to IT infrastructure.

The group’s tactics include disabling security features and terminating specific processes that could interfere with their operations. They use standard encryption algorithms, which are effective but also make it challenging for security tools to detect their activities. The Linux variant of BERT’s ransomware shows similarities to the REvil ransomware, suggesting possible code reuse or collaboration between different threat actors.

Operational Security Measures

The BERT Ransomware Group implements several operational security measures to avoid detection. Their use of PowerShell-based loaders and standard encryption algorithms makes it difficult for traditional security tools to identify their activities. Additionally, the group’s ability to operate on multiple platforms and disable security features further complicates detection and mitigation efforts.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by the BERT Ransomware Group. These include:

• Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.
• Regular Updates: Keep all systems and software up to date with the latest security patches. This includes operating systems, applications, and virtual machine environments. Regular updates help to address known vulnerabilities that can be exploited by ransomware like BERT.
• Intrusion Detection Systems: Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. IDS can help to detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block ransomware on individual devices. Endpoint protection can help to prevent the initial infection and limit the spread of ransomware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by the malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to the BERT Ransomware Group and other sophisticated ransomware threats.