Insights, news, education and announcements from PolySwarm

BERT Ransomware

Written by The Hivemind | Jul 11, 2025 6:02:09 PM

Verticals Targeted: Healthcare, Technology
Regions Targeted: Asia, Europe, United States
Related Families: REvil, Babuk

Executive Summary

Since April 2025, the BERT ransomware group has targeted organizations in healthcare, technology, and event services across Asia, Europe, and the United States, utilizing PowerShell loaders and multi-threaded encryption. 

Key Takeaways

  • BERT deploys Windows and Linux variants, with the Linux version targeting ESXi servers using 50 encryption threads.
  • A PowerShell script disables security features and delivers the ransomware payload from a Russian-registered IP.
  • Newer BERT variants employ ConcurrentQueue for faster, multi-threaded encryption compared to older iterations.
  • BERT’s Linux variant shares traits with REvil and Babuk, indicating repurposed ransomware code.

What is BERT?

In April 2025, Trend Micro identified BERT, an emerging ransomware group targeting healthcare, technology, and event services organizations across Asia, Europe, and the United States. This week, they reported on BERT’s more recently observed variants and activity. BERT’s operational simplicity belies its effectiveness, leveraging a PowerShell script to deliver its payload from a remote server at 185.100.157[.]74, associated with a Russian ASN. This loader escalates privileges, disables Windows Defender, firewalls, and User Account Control, facilitating unhindered ransomware execution on Windows systems.

BERT’s Windows variant employs straightforward code, terminating processes linked to web servers and databases before encrypting files with AES algorithms. It appends the “.encryptedbybert” extension and drops a ransom note. Older variants enumerated drives and collected file paths before encryption, while newer iterations utilize ConcurrentQueue and DiskWorker threads for immediate, multi-threaded encryption, enhancing efficiency. The Linux variant, observed in May 2025, targets ESXi servers, using 50 threads to rapidly encrypt files and appending the “.encrypted_by_bert” extension. It supports command-line parameters for targeted directories and thread counts, and forcibly terminates virtual machines to maximize disruption.

The ransomware’s configuration, embedded in JSON, includes public keys and ransom note details, a hallmark of modern ransomware adaptability. Trend Micro notes similarities between BERT’s Linux variant and REvil’s ESXi-targeting code from 2021, with additional overlap from Babuk’s leaked source. This suggests BERT’s developers are repurposing established ransomware frameworks, refining them for broader impact. The group’s phishing-driven initial access, though not fully detailed, likely exploits social engineering to deploy malicious attachments.

Victims face significant operational and financial risks, with healthcare and technology sectors particularly vulnerable due to their reliance on digital infrastructure. BERT’s rapid evolution and code reuse underscore the persistent threat of ransomware groups leveraging simple yet effective tactics. PolySwarm analysts consider BERT to be an emerging and evolving threat. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4

8478d5f5a33850457abc89a99718fc871b80a8fb0f5b509ac1102f441189a311

b2f601ca68551c0669631fd5427e6992926ce164f8b3a25ae969c7f6c6ce8e4f

bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4

c7efe9b84b8f48b71248d40143e759e6fc9c6b7177224eb69e0816cc2db393db

 

You can use the following CLI command to search for all BERT samples in our portal:

$ polyswarm link list -f BERT

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post