{
	"id": "ee571b13-7c8b-4491-9caf-6d362f2ffbf0",
	"created_at": "2026-04-06T00:18:09.964724Z",
	"updated_at": "2026-04-10T13:12:18.333534Z",
	"deleted_at": null,
	"sha1_hash": "9666493b33140a2618b75860da3f6c9dab952fe3",
	"title": "Bert Ransomware – Malware Trends Tracker by ANY.RUN",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74919,
	"plain_text": "Bert Ransomware – Malware Trends Tracker by ANY.RUN\r\nBy Stanislav Gayvoronsky\r\nArchived: 2026-04-05 20:54:47 UTC\r\nBert Ransomware: The Silent Storm Sweeping Critical Sectors\r\nKey Takeaways\r\nBert is a fast-evolving ransomware family that encrypts files and demands cryptocurrency payments.\r\nHigh-value targets include SMBs, healthcare, financial institutions, and government agencies.\r\nOnce inside, Bert can encrypt data, disable backups, kill security tools, and spread laterally across\r\nnetworks.\r\nObserve Bert’s killchain, network connections, and processes in ANY.RUN’s Interactive Sandbox:\r\nBert Ransomware detonated in Interactive Sandbox Bert Ransomware Windows variant detonated in\r\nInteractive Sandbox\r\nDouble extortion tactics – data theft plus encryption – raise both financial and reputational risks.\r\nBert infections usually start with phishing, weak RDP credentials, or unpatched vulnerabilities\r\nDetection relies on behavioral monitoring, IOCs, and real-time threat intelligence to flag suspicious\r\nactivity early.\r\nUse ANY.RUN’s Threat Intelligence Lookup to gather and explore Bert’s IOCs and TTPs:\r\nthreatName:\"bert\"\r\nBert samples found via TI Lookup Bert samples found via TI Lookup: watch behavior, gather indicators\r\nPrevention requires MFA, patching, backups, phishing awareness training, and threat intelligence-driven\r\ndefenses.\r\nWhat is Bert Ransomware?\r\nBERT ransomware distinguishes itself through its multi-platform capabilities and streamlined attack execution.\r\nBert has been observed targeting organizations since April 2025, with confirmed victims in sectors including\r\nhealthcare, technology and event services. The ransomware group operates with a sophisticated approach that\r\nbelies its relatively simple code structure, demonstrating how modern cybercriminals can achieve maximum\r\nimpact with efficient tools.\r\nAn analysis of an infection of a Windows system found that the variant used a straightforward code structure, with\r\nspecific strings to match and terminate certain processes. Files were encrypted using the standard AES algorithm.\r\nhttps://any.run/malware-trends/bert/\r\nPage 1 of 6\n\nThe public key, file extension, and ransom note were easily accessible. This approach allows for rapid deployment\r\nwhile maintaining strong encryption capabilities that make data recovery without payment extremely difficult.\r\nThe ransomware is cross-platform, with Windows variants using PowerShell loaders for initial execution and\r\nLinux variants optimized for server environments like VMware ESXi. Bert's operations blend traditional\r\nencryption with advanced evasion techniques, such as multi-threaded processing for speed and targeted shutdowns\r\nof virtual machines.\r\nBy July 2025, multiple iterations have been observed, including updates to encryption libraries and command-line\r\nflags, highlighting the group's adaptability. Unlike more sophisticated actors, Bert prioritizes speed over stealth —\r\nencrypting files as they are discovered rather than pre-scanning — making it a growing concern for hybrid IT\r\nenvironments.\r\nBert has a modular structure: it can integrate with other malware loaders and is often distributed through phishing\r\nemails, malicious attachments, and compromised remote desktop protocol (RDP) access. This adaptability makes\r\nit dangerous for businesses across different sectors.\r\nMultiple infection vectors include:\r\nMalicious email attachments and links.\r\nExploited RDP services.\r\nUnpatched software vulnerabilities.\r\nTrojanized software installers.\r\nLateral movement across corporate networks after initial compromise.\r\nBert Ransomware Victimology\r\nThe group's victim selection appears strategic, focusing on organizations that are likely to pay ransoms quickly\r\ndue to the critical nature of their operations.\r\nPrimary target sectors include:\r\nHealthcare organizations, where downtime can directly impact patient care and lives.\r\nTechnology companies, which often possess valuable intellectual property and customer data.\r\nEvent services, where timing is crucial and disruption can cause significant financial losses.\r\nManufacturing facilities, where operational disruption can halt production lines.\r\nGeographically, Bert ransomware has demonstrated global reach with confirmed attacks across Asia, Europe, and\r\nthe United States. The group shows no preference for organization size, targeting both large enterprises and\r\nsmaller businesses that may have fewer cybersecurity resources to defend against sophisticated attacks.\r\nHow Bert Malware Functions\r\nBert ransomware operates through a sophisticated multi-stage attack process that maximizes efficiency while\r\nminimizing detection opportunities. The group's tactics include PowerShell-based loaders, privilege escalation,\r\nhttps://any.run/malware-trends/bert/\r\nPage 2 of 6\n\nand concurrent file encryption, allowing them streamlined attack execution and evasion despite their reliance on\r\nrelatively simple underlying code.\r\nThe ransomware's operational process follows these key stages:\r\nInitial Deployment: Bert typically begins with PowerShell-based loaders that are designed to evade initial\r\nsecurity screenings. These loaders are responsible for establishing the initial foothold and preparing the\r\nsystem for the main ransomware payload.\r\nPrivilege Escalation: Once active, Bert systematically escalates privileges to gain administrative access to\r\nthe target system. This step is crucial for the ransomware's ability to disable security controls and access\r\nprotected files and systems.\r\nDefense Evasion: The ransomware specifically targets and disables security software, including Windows\r\nDefender, firewall services, and other protective mechanisms. This creates an environment where the\r\nencryption process can proceed without interference.\r\nEncryption Process: Bert uses standard AES encryption to systematically encrypt files across the infected\r\nsystem. The process is designed to be both thorough and fast, using multiple threads to accelerate the\r\nencryption while making detection more difficult.\r\nCommunication: The group downloads and executes ransomware from a remote IP address associated\r\nwith ASN 39134. This suggests the ransomware maintains communication with command and control\r\nservers throughout the attack process.\r\nRansom Delivery: Following successful encryption, Bert deploys ransom notes that provide instructions\r\nfor payment and recovery. The ransomware uses easily accessible formats for these communications,\r\nensuring victims can understand the demands and payment process.\r\nBert Ransomware Attack Example and Technical Analysis\r\nANY.RUN’s Interactive Sandbox allows to analyze both Windows and Linux Bert variants and contains a number\r\nof samples targeting both systems, analyzed by the Sandbox community of over 15K SOC teams.\r\nBert runs in 64-bit Windows 10/11 environments and server versions. It tracks and terminates/destroys database,\r\nweb server, and virtualization processes (e.g., MSSQL, Apache, VMware) to accelerate encryption and complicate\r\nrecovery.\r\nThe Linux variant, discovered in May 2025, supports up to 50 parallel threads to speed up encryption and accepts\r\ncommand-line parameters --path, --threads, and --silent. In default mode, the malware shuts down all running\r\nvirtual machines on ESXi hosts using the command \"esxcli vm process list\" and terminates processes, preventing\r\nadministrators from creating system snapshots or migrating workloads before encryption begins. After encryption,\r\nfiles receive the extension .encrypted_by_bert, and the note encrypted_by_bert-decrypt.txt shows the number of\r\nencrypted files.\r\nWindows Analysis\r\nView Windows variant sandbox detonation\r\nBert Windows variant Bert Windows variant in the Interactive Sandbox\r\nhttps://any.run/malware-trends/bert/\r\nPage 3 of 6\n\nAfter launching the sample, the ransomware spawns child processes cmd.exe and PowerShell. Through the\r\ncommand line, it gathers system information (systeminfo, wmic), reads the machine GUID from the registry and\r\nOS installation date, executes whoami and net config workstation.\r\nIn PowerShell, commands are used to disable Windows Defender protection and firewall, as well as to add itself to\r\nthe startup folder. It also uses processes reg.exe, rundll32.exe, schtasks.exe, and attrib.exe: the first two are used to\r\nmodify registry and UAC, schtasks creates a task in the scheduler, and attrib hides the payload directory.\r\nAdditionally, Bert initiates renaming of user files and adds several extensions such as: *.encryptedbybert,\r\n*.encryptedbybert3, *.encryptedbybert11, *.encrypted_bert, *.hellofrombert, and creates the ransom note note.txt.\r\nLinux Analysis\r\nView Linux variant sandbox detonation\r\nBert Linux variant Bert Windows variant in the Interactive Sandbox\r\nThe ransomware executable is launched through the /bin/sh shell. First, it uses a chain of commands to obtain\r\nnecessary privileges and launch itself:\r\n/bin/sh -c \"sudo chown user ... \u0026\u0026 chmod +x ... \u0026\u0026 DISPLAY=:0 sudo -i ...\" - this is a sequential call of sudo\r\nchown to change file ownership to a regular user, chmod +x to grant execution rights, and then sudo -i to run the\r\nsame file as superuser.\r\nSeparate calls to sudo chown user and chmod +x indicate attempts to legitimize and activate the binary file.\r\nAfter initiation, Bert gathers system information through standard utilities: uname –a and hostname are called\r\nthrough the chain sh -c \"uname -a \u0026\u0026 echo \" | \" \u0026\u0026 hostname\" to get kernel architecture and hostname.\r\nThis structure lists WorldIDs of virtual machines and closes them, as previously described regarding ESXi VM\r\nshutdown behavior.\r\nDuring encryption, it adds one of the extension variants, in this case *.bert11, and drops the ransom note bert11-\r\ndecrypt.txt, as well as displays a banner with the number of encrypted files in the console, including directories\r\n~/.config/systemd/ and ~/.config/systemd/user; thus the program leaves ransom notes in each folder.\r\nBert ransom note Bert ransom note on Linux endpoint\r\nBert Execution Process in General\r\nAfter launch, Bert analyzes the platform. On Linux/Linux servers, especially on ESXi hosts, it can identify\r\nrunning virtual machines and, if the --silent parameter is not set, forcibly shuts them down to prevent\r\nadministrators from creating backups and quickly restoring the system.\r\nOn Windows, the loader script checks for administrative rights and restarts itself with elevated privileges, then\r\ncopies the payload to disk and registers itself in startup through the task scheduler.\r\nhttps://any.run/malware-trends/bert/\r\nPage 4 of 6\n\nFor unimpeded execution of malicious actions, the Windows variant of Bert modifies the registry to disable\r\nWindows Defender and its real-time protection, stops WinDefend and Sense services, deactivates the firewall, and\r\nreduces UAC level to zero. Then it downloads the main ransomware program from a remote IP address and runs it\r\nas administrator.\r\nThe Linux version embeds configuration in a JSON file and accepts command-line parameters to specify directory\r\nand number of encryption threads, providing flexibility and high performance (up to 50 threads).\r\nBefore encryption, Bert terminates processes that could interfere with the attack: on Windows - database and\r\nvirtualization services, on Linux - running ESXi virtual machines. Then parallel encryption begins: on Windows,\r\nmodern versions use ConcurrentQueue structure and create a separate thread for each volume to immediately\r\nprocess files, while on Linux/ESXi up to 50 threads are used. For encryption, RSA and AES are used on Windows,\r\nand a combination of AES, RC4, Salsa20, and ChaCha on Linux.\r\nA ransom note is placed in each folder, and encrypted file names receive characteristic extensions like\r\n.encryptedbybert or .encrypted_by_bert, accompanied by data exfiltration to remote servers for double extortion.\r\nGathering Threat Intelligence on Bert Ransomware\r\nThreat intelligence plays a crucial role in defending against Bert Ransomware. It provides visibility into the\r\ntactics, techniques, and procedures (TTPs) of Bert’s operators. Security teams can:\r\nDetect new campaigns earlier through shared IOCs.\r\nUnderstand attacker infrastructure and preemptively block it.\r\nPrioritize patching based on known vulnerabilities exploited by Bert.\r\nEnrich SIEM/EDR alerts for faster triage.\r\nStart from querying Threat Intelligence Lookup with a threat name. If you want to select Bert samples targeting\r\nonly Windows or Linux environment, specify an OS with a search parameter:\r\nthreatName:\"bert\" and os:\"22.04.2\"\r\nBert samples found via TI Lookup Bert samples found via TI Lookup: watch behavior, gather indicators\r\nIntegrate ANY.RUN’s threat intelligence solutions in your company\r\nContact us\r\nConclusion\r\nThe key to defending against Bert ransomware lies in understanding that this is not merely a technical problem\r\nrequiring technical solutions, but a comprehensive risk management challenge that affects every aspect of\r\norganizational operations. The ransomware's impact extends far beyond encrypted files to encompass business\r\ncontinuity, financial stability, regulatory compliance, and organizational reputation. Organizations must adopt a\r\nholistic defense approach that combines technical security controls, employee training, incident response\r\nplanning, and threat intelligence integration.\r\nhttps://any.run/malware-trends/bert/\r\nPage 5 of 6\n\nThe multi-platform nature of BERT ransomware means that defensive strategies must account for both Windows\r\nand Linux environments, while the group's sophisticated attack methods require advanced detection and response\r\ncapabilities.\r\nStart gathering actionable threat intelligence on Bert by sign up for ANY.RUN’s TI Lookup: protect your business\r\nwith timely detection and response.\r\nSource: https://any.run/malware-trends/bert/\r\nhttps://any.run/malware-trends/bert/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://any.run/malware-trends/bert/"
	],
	"report_names": [
		"bert"
	],
	"threat_actors": [],
	"ts_created_at": 1775434689,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9666493b33140a2618b75860da3f6c9dab952fe3.pdf",
		"text": "https://archive.orkl.eu/9666493b33140a2618b75860da3f6c9dab952fe3.txt",
		"img": "https://archive.orkl.eu/9666493b33140a2618b75860da3f6c9dab952fe3.jpg"
	}
}