BERT Ransomware Can Force Shutdown of ESXi Virtual Machines to Hinder Recovery

A newly identified ransomware group, BERT, tracked by Trend Micro as Water Pombero, has emerged as a significant threat to organizations across Asia, Europe, and the US.

First observed in April, BERT targets critical sectors such as healthcare, technology, and event services, employing a dual-platform approach to infect both Windows and Linux systems.

Threat Targeting Windows and Linux Systems

This ransomware group’s ability to disrupt operations and evade defenses, despite relying on a relatively simple codebase, underscores the evolving nature of cyber threats.

BERT’s sophisticated tactics, including PowerShell-based loaders and concurrent file encryption, enable streamlined attack execution, while its Linux variant introduces a particularly destructive feature: the forced shutdown of ESXi virtual machines to maximize impact and complicate recovery efforts.

On Windows systems, BERT leverages PowerShell scripts like “start.ps1” to escalate privileges, disable Windows Defender, firewalls, and User Account Control (UAC), before downloading its payload from a remote server at IP address 185[.]100[.]157[.]74, linked to a Russian ASN.

This loader executes the ransomware with administrator rights, ensuring deep system access.

BERT terminates critical processes tied to web servers and databases, encrypts files using the AES algorithm, and appends extensions like “.encryptedbybert”.

Rapid Encryption Across Platforms

Its newer variants show enhanced multi-threaded encryption by utilizing ConcurrentQueue and DiskWorker for immediate file encryption upon discovery, a significant improvement over older versions that delayed encryption until file paths were collected.

On Linux, particularly ESXi environments, BERT ramps up its destructive potential with support for up to 50 threads for rapid encryption.

It can forcibly terminate virtual machine processes using commands like “esxcli vm process kill”, encrypting snapshots and appending the “.encrypted_by_bert” extension, while dropping ransom notes.

This deliberate targeting of virtualization infrastructure aims to cripple recovery, as encrypted VMs and snapshots become inaccessible, posing a severe challenge to system administrators.

According to the Report, Trend Micro’s telemetry indicates BERT’s evolution, with code similarities to past ransomware like REvil’s Linux variant, suggesting the reuse of leaked or repurposed codebases, highlighting how emerging groups can weaponize existing tools with devastating effect.

Trend Vision One offers robust detection and blocking of BERT’s indicators of compromise (IOCs), alongside hunting queries and threat intelligence to help organizations stay ahead of this threat.

Indicators of Compromise (IoC)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.