BERT RANSOMWARE - THE RAVEN FILE
Essential information
- Published
- 20/06/2025 19:25
- Modified
- 23/06/2025 23:21
- Tags
- 2025-06-20 bert ransomware dark web encryption linux phishing powershell ransomware revil sodinokibi windows
- Related entities
- 11 observables, 1 intrusion sets (apt), 8 others
Description
BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufacturing sectors. The Windows variant employs multiple file extensions and RSA encryption, while the Linux version shares code with Sodinokibi/REvil ransomware. A weaponized PowerShell script is used to disable security features before payload execution. The ransomware's infrastructure is linked to a Russian firm, suggesting potential ties to the region.