Bert Ransomware: The Cross-Platform Cyberweapon Blitzing Windows and Linux Systems

Introduction: A New Breed of Ransomware Turns Speed Into a Weapon

A new ransomware strain is raising alarms across the cybersecurity world for its shocking efficiency and platform-agnostic nature. Dubbed Bert by some vendors and Water Pombero by others, this malware is engineered not with complex code, but with strategic use of multithreading and cross-platform capabilities. In an era where time equals damage, Bert exemplifies how simplicity in design can produce devastating results. Targeting both Linux and Windows environments, it has become a formidable threat to enterprises, especially in sectors like healthcare, tech, and event services.

Summary: Bert’s Brutal Simplicity and Speed

Bert ransomware, first detected in April 2025, is a cross-platform threat that has been rapidly spreading across organizations in the U.S., Asia, Europe, the Middle East, and Africa. Despite having a relatively unsophisticated codebase, it poses a significant danger due to its aggressive multithreading capabilities, which allow it to encrypt large numbers of files almost simultaneously. The malware executes with brutal efficiency, making detection and response extremely difficult.

Trend Micro, which tracks the malware under the name Water Pombero, notes that the Linux version of Bert can run up to 50 threads, enabling it to encrypt data and take down virtual servers like VMware ESXi in record time. This disrupts operations and impedes recovery processes. The Windows variant uses PowerShell loaders to gain entry, escalate privileges, and disable defenses like Windows Defender, firewalls, and UAC settings.

The infection flow is streamlined: early versions of Bert scanned all drives, created ransom notes in every directory, and then encrypted files. Newer versions are even more optimized. They use ConcurrentQueue and DiskWorker techniques, starting encryption immediately upon file discovery—bypassing the older method of pre-storing paths in an array.

Evidence suggests Russian involvement, as the command-and-control server hosting the Bert payload is located in Russia. The ransomware shares code similarities with other notorious strains like REvil, Babuk, and Conti, indicating the likelihood of code reuse or leaks.

Ultimately, Bert illustrates a growing trend: emerging threat actors don’t need advanced coding skills to cause mass disruption—just speed, automation, and tactical deployment.

What Undercode Say:

The emergence of Bert is a powerful reminder that “simple” does not mean “harmless.” In fact, Bert’s genius lies in its simplicity. It avoids elaborate obfuscation or complex zero-day exploits, and instead focuses on maximum impact with minimal friction. This is a cybercriminal’s dream tool.

What sets Bert apart from legacy ransomware is its engineering-first approach. Rather than piling on feature bloat, the malware prioritizes speed, parallelization, and cross-environment compatibility. The use of up to 50 concurrent threads on Linux and optimized queuing on Windows make it a tactical nightmare for IT teams and defenders. It strikes fast, locks down virtualized infrastructure, and leaves little room for incident response before damage is done.

The fact that Bert targets VMware ESXi environments directly shows how ransomware has evolved. No longer satisfied with encrypting user files, modern malware aims to cripple the backbone of enterprise infrastructure. ESXi shutdown commands aren’t just disruptive—they’re strategically placed to cause maximum business continuity failure.

Another alarming feature is the lack of an identifiable initial access vector. This suggests that Bert might be leveraging initial access brokers (IABs) or widespread exploits via supply chain or credential theft methods—tools that are often traded in the dark web economy. And since it heavily uses PowerShell, this malware blends in with standard system admin behavior, making detection harder without robust behavioral analytics.

Geopolitically, the suspected Russian origin adds another layer of complexity. With tensions high in global cyberspace, attribution—even partial—can trigger political concerns, especially if critical infrastructure is impacted. The growing trend of code reuse, evidenced by similarities to REvil, Conti, and Babuk, also indicates that leaked ransomware codebases are fueling a new generation of threat actors who don’t need to build from scratch.

Finally, Bert highlights the increasing commoditization of ransomware tools. If a lightweight, multithreaded, and cross-platform ransomware can be deployed this efficiently, we are entering a phase where automation, not sophistication, becomes the key threat amplifier.

Organizations must urgently revise their threat models to account for speed-oriented ransomware, especially those operating in virtualized and hybrid cloud environments. Proactive detection mechanisms, segmentation, immutable backups, and sandbox-based behavioral monitoring are no longer optional—they’re mandatory.

🔍 Fact Checker Results:

✅ Bert uses multithreading (up to 50 threads) to rapidly encrypt files on Linux
✅ PowerShell is confirmed as the main execution method for Windows infections
❌ No definitive proof yet links Bert directly to a known nation-state, despite the Russian-hosted server

📊 Prediction:

Expect Bert—or similar multithreaded ransomware—to inspire a wave of copycat malware throughout 2025 and beyond. Given its lightweight architecture and effectiveness, cybercrime-as-a-service providers will likely offer Bert-style tools to less-skilled attackers. Also, organizations using VMware ESXi and PowerShell-dependent infrastructure will remain top targets unless they adopt stricter privilege controls and runtime threat detection.