1. What Is BERT Ransomware?
BERT is a sophisticated and rapidly evolving ransomware strain first identified in April–May 2025. It specifically targets critical systems across sectors such as healthcare, technology, event services, finance, and government—operating globally across Asia, Europe, and North America.
What sets BERT apart is its double-extortion method: it encrypts victims’ files and exfiltrates sensitive data, threatening to leak it publicly if the ransom isn’t paid.
2. How BERT Works: Key Mechanics & Behavior
Windows Variant
- Delivered via PowerShell loaders from malicious infrastructure linked to Russia.
- Escalates privileges, disables Windows Defender, firewalls, and User Account Control to evade detection and ensure successful payload delivery.
- Terminates critical services like web servers and databases before encrypting data using AES.
- Appends the extension
.encryptedbybertto affected files and drops a.note.txtransom note. The note instructs victims to contact attackers via the messaging platform Session, using a provided Session ID.
Linux / VMware ESXi Variant
- Targets VMware ESXi servers, stopping all virtual machines using commands like
esxcli vm process kill --type=force, which interrupts snapshots and backup systems. - Executes rapid, multi-threaded encryption (up to 50 threads), typically adding
.encrypted_by_bertto encrypted files. - Shares significant code overlap with known ransomware families like REvil and Babuk, indicating code repurposing and adaptation.
Advanced Tactics
- Employs techniques like process injection, timestomping, sandbox evasion, and registry-based persistence to remain undetected and persistent.
- Gathers system intelligence by enumerating services, processes, and security tools before proceeding with encryption and exfiltration.
3. Impact & Risk Landscape
- Operational Devastation: Encrypted and exfiltrated data compromises business continuity—especially devastating in healthcare and tech where access to data is vital.
- Supply Chain Disruptions: For ESXi-targeted attacks, halting multiple VMs can cripple entire operations and affect partner ecosystems.
- Compliance Exposure: Leaked data can trigger regulatory breaches (e.g., GDPR, HIPAA)—leading to sanctions, litigation, and reputational damage.
4. Real-World Cases
- BERT has claimed high-profile victims including a Turkish hospital, an American electronics firm, a Malaysian construction company, a Colombian IT solutions business, and a Taiwanese semiconductor equipment provider.
- A global maritime services company, S5 Agency World, reportedly had 140 GB of sensitive data exfiltrated, including inspection reports, vaccination records, invoices, and passport copies.
5. What Organisations Must Do: A Defense Blueprint
Preventive Measures
- Maintain offline and segmented backups, tested regularly.
- Keep all systems—especially ESXi hosts and Windows servers—up-to-date with latest patches and security updates.
- Use multi-factor authentication (MFA) and enforce unique passwords.
- Limit user privilege levels and disable unnecessary services.
Detection & Response
- Monitor command-line behavior (e.g., PowerShell execution, unusual API calls).
- Implement system-integrity monitoring to detect registry or file perturbations.
- Observe for data exfiltration patterns and connections to anomalous IP addresses/domains.
Incident Triage
- Immediately isolate infected systems, block suspicious Activity.
- Report incidents to cybersecurity authorities like CERT-In, or local CERT bodies.
- Consider professional forensic backup and negotiation services—while being cautious, especially when paying ransom. Legal requirements may vary depending on jurisdiction.
6. Final Thoughts
BERT is emblematic of the current state of ransomware: stealthy, destructive, and extortionate. By combining file encryption with data theft, it significantly increases pressure on victims to comply. Organizations must adopt a layered defense strategy, combining proactive protection, vigilant detection, robust backup, and swift incident response to mitigate its potent threat.
