Listen to this Post
A Silent Threat That’s Gaining Momentum
A newly discovered ransomware group known as Bert is making waves in the cybersecurity world with a fast-paced and adaptable attack strategy. Since its emergence in April 2025, Bert has quickly targeted organizations in the United States, Europe, and Asia, particularly within industries such as healthcare, technology, and event services. This rapidly evolving threat, analyzed in depth by cybersecurity firm Trend Micro, shows signs of sophistication despite its use of relatively simple tools. What makes Bert dangerous isn’t complex code — it’s the combination of agility, infrastructure diversity, and stealth.
Bert is using both Windows and Linux platforms to carry out attacks, leveraging PowerShell abuse, concurrent file encryption, and multi-threaded architectures to maximize damage before detection can occur. Trend Micro’s research notes that the group has quickly shifted between ransomware versions, enhancing speed, effectiveness, and scalability. While their infrastructure ties to a Russian ASN might suggest a regional connection, attribution remains unclear.
This fast learning curve and aggressive evolution mark Bert as a significant player in the growing field of ransomware-as-a-service (RaaS), drawing comparisons to groups like REvil. As organizations worldwide adapt to this new threat landscape, understanding Bert’s methods is the first step in staying ahead of what could become one of 2025’s most dangerous cybercrime groups.
Bert’s Tactics and Technical Summary
Broad Targeting Across Regions and Sectors
Since April 2025, the Bert ransomware group has launched attacks across North America, Europe, and Asia, with confirmed targets in healthcare, technology, and events management. These industries, often rich in sensitive data, are high-value targets for cybercriminals.
Russian Infrastructure, Global Reach
Bert connects to a remote IP under ASN 39134, registered in Russia. While not definitive proof of Russian origin, it does indicate the group might be leveraging infrastructure commonly used by Russian threat actors. This detail adds geopolitical complexity to the ransomware’s profile.
Cross-Platform Capabilities: Windows and Linux
Bert attacks both Windows and Linux environments. Its Windows ransomware variants initially had simpler encryption workflows. Over time, these were replaced by more streamlined and concurrent methods, such as using ConcurrentQueue and DiskWorker to initiate on-the-fly multi-threaded encryption.
The Linux variant, found in May 2025, demonstrates even more aggressive behavior. It spawns 50 concurrent threads to accelerate encryption, terminating virtual machine processes on ESXi hosts to maximize disruption. It uses a custom file extension .encrypted_by_bert and a matching ransom note format. This Linux version is possibly derived from REvil’s earlier campaigns against ESXi systems.
PowerShell Weaponization
Bert heavily abuses PowerShell, using it to escalate privileges (-Verb RunAs), disable Windows firewall profiles (Set-NetFirewallProfile), and load ransomware while evading endpoint detection tools. This tactic leverages legitimate tools to disguise malicious activity, making post-compromise defenses more difficult.
Evolution of Encryption Methods
Older Bert variants used basic process termination, followed by a delayed encryption process where valid file paths were gathered before the encryption began. Newer variants bypass this inefficiency with real-time encryption as files are discovered, showing how quickly the group is adapting and improving.
Embedded JSON Configurations
Modern Bert samples include JSON-configured settings embedded within the binary, allowing for campaign-specific customization. This structure enhances the ransomware’s ability to adapt quickly to different targets, environments, and use cases — another sign of its maturity.
What Undercode Say:
The Speed of Ransomware Evolution is Increasing
Bert’s appearance represents a growing trend in ransomware development: the use of modular design, cross-platform compatibility, and cloud-hosting infrastructure to build scalable, fast-spreading campaigns. It’s a reflection of how ransomware development has shifted from lone hackers to highly organized, agile groups that function more like software startups than cybercriminal gangs.
Simplicity Doesn’t Mean Weakness
Bert’s success despite using “simple tools” proves that technical minimalism can still be dangerous when combined with smart execution. Rather than sophisticated zero-days, Bert relies on privilege escalation via PowerShell, disabling firewalls, and targeted encryption — all actions that are harder to detect when cleverly obfuscated.
PowerShell Remains a Security Weak Point
PowerShell continues to be one of the most abused tools by attackers because it’s native to Windows, powerful, and trusted. The misuse of Start-Process with elevated permissions is a red flag that many endpoint systems fail to catch. Organizations should restrict PowerShell usage, especially in servers and critical infrastructure environments.
Multi-threaded Encryption Is Becoming the Norm
Bert’s transition from basic encryption to real-time multi-threaded file encryption sets a new baseline for modern ransomware. It significantly reduces the time available for defenders to respond, often completing encryption before monitoring tools raise alarms.
Indicators of Nation-State Inspiration
While there’s no confirmed attribution to a nation-state, the infrastructure usage, Linux ESXi targeting, and cross-platform nature all point toward influences from state-sponsored or RaaS-inspired operations, especially those known to operate out of Eastern Europe.
Linux and ESXi: A Growing Attack Surface
Bert’s Linux variant targeting ESXi hosts shows a deliberate strategy to disrupt virtualized data centers — critical in enterprise and cloud environments. This tactic mimics REvil and other APT groups that have historically exploited these systems for maximum ransom leverage.
Continuous Updates Reflect Active Development
The shift from array-based encryption to real-time queue processing suggests that Bert is actively maintained and improved, unlike one-time ransomware drops. This behavior is consistent with groups that intend to stay relevant, profitable, and elusive.
Ransomware is Now a Software Product
Bert is acting less like a script and more like a product — complete with version upgrades, custom configurations, and modular architecture. This shift is transforming ransomware from a brute-force attack tool to a tailored enterprise weapon, designed for efficiency and profitability.
🔍 Fact Checker Results:
✅ Bert has been confirmed by Trend Micro to be active since April 2025
✅ The group targets both Windows and Linux systems using different ransomware variants
✅ PowerShell abuse, ESXi targeting, and concurrent encryption were all verified in field samples
📊 Prediction:
Expect Bert to evolve into a ransomware-as-a-service provider, offering its modular code to affiliates for broader deployment. We’ll likely see more automation, supply chain attacks, and data exfiltration add-ons in upcoming campaigns. Its focus on cross-platform support and fast deployment suggests that Bert may soon rival groups like LockBit and BlackCat in terms of scope and sophistication. 🚨
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
