Researchers say the BERT ransomware group has rapidly expanded its operations across Asia and Europe, with additional activity observed in the United States. BERT’s cross-platform ransomware campaigns have targeted a diverse range of sectors, including healthcare, manufacturing, technology, event services, and maritime transportation.
Cross-Platform Capabilities and Attack Methods
BERT distinguishes itself through its ability to target both Windows and Linux environments. The group has developed ransomware variants specifically tailored for each platform, allowing it to compromise a wide spectrum of organizational infrastructures. Despite the simplicity of its codebase, BERT’s ransomware is highly effective. It employs concurrent file encryption and privilege escalation techniques to maximize operational disruption.
A hallmark of BERT’s campaigns is its use of double extortion tactics. Not only does the group encrypt victims’ files, but it also exfiltrates sensitive data, threatening to publish it if ransom demands are not met. On Linux systems, BERT’s ransomware can leverage up to 50 concurrent threads for rapid file encryption and is capable of forcibly shutting down ESXi virtual machines, further amplifying business disruption.
Notable Incidents and Geographic Reach
BERT’s victims span several countries and industries. Reported incidents include attacks on a Taiwanese semiconductor equipment manufacturer, a Turkish hospital, a Malaysian construction firm, and a UK-based global maritime agency. In the United States, the group has targeted technology and service companies, underscoring its broad geographic and sectoral reach.
| Region | Sectors Targeted | Notable Incidents |
|---|---|---|
| Asia | Manufacturing, Healthcare, Construction | Taiwanese semiconductor firm, Malaysian construction |
| Europe | Maritime, Event Services, Technology | UK-based S5 Agency World, Turkish hospital |
| United States | Technology, Service | American electronics firm |
Technical Evolution and Tactics
BERT’s technical capabilities have evolved rapidly. In May 2025, the group released a Linux variant of its ransomware, which shares up to 80% code similarity with the notorious REvil ransomware. This suggests that BERT is actively adapting and refining its malware arsenal.
The group typically gains initial access through phishing campaigns, often deploying PowerShell-based loaders on Windows systems. These loaders disable security defenses such as Windows Defender and firewalls before downloading the ransomware payload from infrastructure believed to be Russian-controlled. Once deployed, the ransomware appends the extension .encryptedbybert to encrypted files and leaves a ransom note (.note.txt) in affected directories. Victims are instructed to communicate with the attackers via the Session messaging app.
BERT’s malware also incorporates registry manipulation for persistence and employs virtualization and sandbox evasion techniques to avoid detection. Its use of multi-threaded encryption, particularly on Linux platforms, enables rapid and widespread file encryption.
