{
  "name": "BERT RANSOMWARE - THE RAVEN FILE",
  "slug": "bert-ransomware-the-raven-file",
  "description": "BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufacturing sectors. The Windows variant employs multiple file extensions and RSA encryption, while the Linux version shares code with Sodinokibi/REvil ransomware. A weaponized PowerShell script is used to disable security features before payload execution. The ransomware's infrastructure is linked to a Russian firm, suggesting potential ties to the region.",
  "published": "2025-06-20T17:25:58+00:00",
  "created_at": "2025-06-20T17:25:58+00:00",
  "modified_at": "2025-06-23T21:21:00+00:00",
  "created_at_opencti": "2025-06-20T17:25:58+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-06-20",
    "bert ransomware",
    "dark web",
    "encryption",
    "linux",
    "phishing",
    "powershell",
    "ransomware",
    "revil",
    "sodinokibi",
    "windows"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "wtwdv3ss4d637dka7iafl7737ucykei7pluzc7is3mgo2vl5nmq7eeid.onion"
      },
      {
        "id": "",
        "name": "bertblogsoqmm4ow7nqyh5ik7etsmefdbf25stauecytvwy7tkgizhad.onion"
      },
      {
        "id": "",
        "name": "f2dc218ea8e2caa8668e54bae6561afd9fbf035a40b80ce9e847664ff0809799"
      },
      {
        "id": "",
        "name": "ced4ed5e5ef7505dd008ed7dd28b8aff38df7febe073d990d6d74837408ea4be"
      },
      {
        "id": "",
        "name": "c7efe9b84b8f48b71248d40143e759e6fc9c6b7177224eb69e0816cc2db393db"
      },
      {
        "id": "",
        "name": "b2f601ca68551c0669631fd5427e6992926ce164f8b3a25ae969c7f6c6ce8e4f"
      },
      {
        "id": "",
        "name": "8478d5f5a33850457abc89a99718fc871b80a8fb0f5b509ac1102f441189a311"
      },
      {
        "id": "",
        "name": "78eb838238dad971dcbc46b86491d95e297f3d47dc770de5c43af3163990d31c"
      },
      {
        "id": "",
        "name": "5bba035c4cb3c2e09a355d9356b3397184af4bf1ac1ff1df99ae9c15edee9f2b"
      },
      {
        "id": "",
        "name": "6182df9c60f9069094fb353c4b3294d13130a71f3e677566267d4419f281ef02"
      },
      {
        "id": "",
        "name": "25c693808095f45d297171eba5196e9a5176281a2d248cb1a8cfa07a68bbe332"
      }
    ],
    "intrusion_sets": [
      {
        "id": "3ce6d352-f862-45c7-af11-4f051e5a7e9a",
        "name": "BERT Ransomware",
        "slug": "bert-ransomware"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Colombia"
      },
      {
        "id": "",
        "name": "Taiwan"
      },
      {
        "id": "",
        "name": "Malaysia"
      },
      {
        "id": "",
        "name": "United Kingdom of Great Britain and Northern Ireland"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Service"
      },
      {
        "id": "",
        "name": "Logistics"
      },
      {
        "id": "",
        "name": "Manufacturing"
      }
    ]
  },
  "external_refs": [
    "https://theravenfile.com/2025/06/16/bert-ransomware",
    "https://otx.alienvault.com/pulse/6855b5c6da6f1326c8888a58"
  ]
}