BERT Ransomware Group Targets Asia and Europe on Multiple Platforms
Essential information
- Published
- 07/07/2025 11:58
- Modified
- 13/07/2025 09:39
- Tags
- 2025-07-07 asia bert encryption esxi europe linux powershell ransomware windows
- Related entities
- 9 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 2 others
Description
A newly emerged ransomware group called BERT has been targeting organizations across Asia and Europe since April. The group employs simple code with effective execution, impacting sectors such as healthcare, technology, and event services. BERT's ransomware operates on both Windows and Linux platforms, using PowerShell-based loaders, privilege escalation, and concurrent file encryption. On Linux systems, it can support up to 50 threads for fast encryption and forcibly shut down ESXi virtual machines. The group's tactics include disabling security features, terminating specific processes, and using standard encryption algorithms. BERT's variants have evolved, streamlining their encryption process and expanding their targeting activities. The Linux variant shows similarities to the REvil ransomware, suggesting possible code reuse.