Listen to this Post
Rise of a New Cyber Threat
A rapidly growing ransomware group known as BERT has captured the attention of cybersecurity experts with its bold shift in tactics. Originally focused on Windows systems, BERT has expanded its reach by targeting Linux environments using weaponized ELF binaries, showcasing both technical versatility and a deeper level of threat maturity. First spotted in April 2025 but active since mid-March, BERT’s activity signals the emergence of a well-organized, adaptive, and increasingly aggressive cybercrime operation. This article delves into the group’s infrastructure, attack vectors, technical indicators, and what this means for global cybersecurity.
Inside the BERT Ransomware Evolution
Aggressive Expansion into Linux
The most alarming development is BERT’s pivot to Linux targets. This isn’t just a platform change — it’s a strategic escalation. The group has begun deploying custom ELF binaries designed to compromise Linux servers, a domain historically less targeted by mainstream ransomware operations. This suggests a deeper understanding of enterprise infrastructure and a clear intent to widen the victim pool.
Stealthy Entry via Phishing
BERT’s attack vectors lean heavily on phishing campaigns, which serve as the primary entry point. Once inside, attackers tailor their payloads based on the operating system in use, whether Windows or Linux, showing a degree of sophistication that differentiates BERT from less-organized threat actors.
Dark Web Presence & Communication Style
Rather than following the conventional ransomware model of using a negotiation portal, BERT opts for privacy-centric messaging apps to handle ransom discussions. Ransoms have reportedly reached up to 1.5 BTC per incident. They also maintain two distinct dark web portals — one for internal communication and one to leak stolen data in compressed archives labeled sequentially (“part1”, “part2”, etc.). The leak and storage servers operate on Apache/2.4.52 on Ubuntu, indicating deliberate and hardened infrastructure planning.
Global Target Distribution
BERT’s victims are geographically dispersed, with the United States taking the lead, followed by the UK, Malaysia, Taiwan, Colombia, and Turkey. Sector-wise, services and manufacturing are the most impacted, though logistics, IT, and healthcare are not spared.
Sophisticated Payload Design
Upon inspection of BERT ransomware samples, analysts uncovered six PE files and two ELF binaries. Notably, only one had a realistic timestamp; the rest were artificially set to future dates, likely as a detection evasion technique. The Windows variant uses RSA encryption via WinAPI and assigns encrypted files extensions like “encryptedbybert” or “encryptedbybert11”. Meanwhile, the Linux variant borrows heavily from the Revil ransomware, with an 80% code similarity, and employs a mix of AES, RC4 PRGA, Salsa20, and ChaCha ciphers. It even utilizes AWK commands to probe system registries — an unusual tactic in Linux ransomware.
Exploiting Windows with Precision
On Windows, BERT initiates attacks using malicious PowerShell scripts hosted on servers like `http://185.100.157.74/start.ps1`. These scripts disable Windows Defender, shut down firewalls, and turn off User Account Control before downloading the ransomware payload. The infrastructure has ties to UNITEDNET (Edinaya Set Limited), a known Russian hosting provider, a recurring theme in recent cybercrime campaigns.
Tactical Flexibility and Technical Prowess
What makes BERT truly dangerous is its dual-platform strategy: coding its own payloads for Windows while re-engineering elite-level malware for Linux. This level of technical dexterity, combined with multi-stage execution chains, positions BERT as one of the most serious ransomware threats to emerge in 2025.
What Undercode Say:
Hybrid Warfare in Cyberspace
BERT’s multi-platform deployment strategy signifies a hybrid cyberwarfare model that blends custom coding with open-source weaponization. This trend is part of a larger shift in ransomware operations, where threat actors seek maximum coverage by targeting both Windows and Linux environments within corporate networks. The goal is clear: ensure no segment of an organization is safe.
A Departure from the Ransomware Norm
BERT breaks away from the typical ransomware playbook. Rather than relying on a public-facing portal for negotiations, it uses encrypted messaging apps. This makes tracking and attribution harder for authorities and decreases the chances of ransom communications being intercepted or disrupted. It’s a bold move that aligns with the group’s evident concern for anonymity and operational security.
Linux: The New Battleground
BERT’s adoption of Linux targets, especially with advanced cryptographic techniques and reuse of Revil’s code, reflects a critical shift. Enterprises that previously focused security investments on Windows systems may now find themselves ill-equipped to handle this evolution. Linux servers often run critical backend infrastructure, making them high-value targets when compromised.
Infrastructure Insights Matter
The use of Ubuntu servers running Apache/2.4.52 as leak repositories, and hosting from a Russian provider, reveals deliberate planning. This is not a group improvising — they are executing a long-term strategy with calculated risk management. The infrastructure choices further complicate efforts to take down operations or retrieve leaked data.
Obfuscation as a Weapon
Manipulating file timestamps into the distant future and encoding sensitive data in Base64 are subtle but effective ways to dodge both signature-based detection and timeline-based forensic analysis. Such small innovations make a big difference in evading incident response efforts, particularly during the first 24-48 hours of a breach.
High Technical Agility
BERT’s combination of RSA, AES, RC4, Salsa20, and ChaCha — often seen in high-grade malware — demonstrates their encryption fluency. By swapping encryption standards across platforms, they keep researchers and defenders guessing, which adds layers of unpredictability.
Influence of Revil and Russian Cybercrime Legacy
The heavy reliance on Revil’s codebase for Linux operations isn’t just opportunistic — it’s strategic. Revil was one of the most technically advanced ransomware families in history. By inheriting its structure and modifying it, BERT fast-tracked their entry into elite ransomware circles. Their ties to Russian hosting infrastructure may also indicate cooperative alliances or code exchanges within Eastern European cybercriminal communities.
Corporate Threat Profile is Widening
BERT’s victim list across services, manufacturing, logistics, IT, and healthcare shows no niche targeting — they are opportunistic and industry-agnostic. This makes them unpredictable and harder to profile. It forces companies in all sectors to reassess their cyber risk models.
Strategic Focus on Evasion
From evading email security via phishing, bypassing antivirus using obfuscation, and hiding negotiation trails with encrypted chats, BERT is demonstrating a multi-layered evasion playbook. It’s not brute force — it’s precision ransomware with evolving tactics.
🔍 Fact Checker Results:
✅ BERT is confirmed to be active since mid-March 2025
✅ Linux variant is based 80% on Revil ransomware code
✅ Communication avoids negotiation portals and uses private messaging apps
📊 Prediction:
BERT will likely become a blueprint for future ransomware groups, especially in its adoption of multi-platform payloads and stealth infrastructure. As more threat actors mimic this model, we can expect a surge in ransomware that targets both Windows and Linux simultaneously, forcing a redefinition of enterprise cybersecurity standards across industries. 🧠💻💥
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
