The BERT Ransomware group is employing a direct tactic: forcing ESXi server VMs to shut down before encrypting files. This precise disruption of critical environments poses a genuine threat to operational continuity.
A sophisticated and emerging ransomware threat is shaking the global cybersecurity landscape. Known as BERT Ransomware (tracked by Trend Micro as “Water Pombero”), this group has developed a particularly disruptive tactic that sets it apart from traditional ransomware operations: the ability to force the shutdown of ESXi virtual machines before proceeding with encryption.
An emerging threat with a global impact
First observed in April 2025, BERT has quickly established itself as a significant threat to virtualized environments across Asia, Europe, and the United States. According to Trend Micro’s analysis, the malware’s most concerning feature is its Linux variant, capable of detecting and forcing the shutdown of ESXi VMs before encrypting files.
The group’s targeting primarily focuses on the healthcare, technology, and events services sectors, with confirmed victims spanning multiple continents, as reported by Cybersecurity News.
Technical details that make a difference
Advanced capabilities in Linux/ESXi
The Linux variant of BERT is specifically optimized for virtualized environments and presents alarming technical features:
- Up to 50 concurrent threads for encryption, enabling efficient processing in large virtualized environments
- Identification and termination of VM processes before encryption
- Automatic shutdown commands using integrated ESXi utilities when run without command-line parameters
- Encryption extensions:
.encrypted_by_berton Linux/ESXi systems and.encryptedbyberton Windows
Security Online confirms that when executed without command-line parameters, the malware automatically shuts down VMs using built-in ESXi commands, demonstrating sophisticated understanding of VMware infrastructure.
Windows variant: PowerShell as a vector
On Windows systems, BERT employs PowerShell loaders that:
- Escalate privileges and disable security features
- Deactivate Windows Defender, firewalls, and User Account Control (UAC)
- Download the main payload from Russian infrastructure
- Terminate related web server and database services before encryption begins
Concerning technical connections
Security researchers have identified significant code similarities between BERT and previous ransomware variants, notably:
- The Linux variant of REvil: originally identified in 2021 and known for targeting ESXi servers
- Leaked source code from Babuk: used in ESXi lockers attributed to Conti and REvil
- A hybrid framework: suggesting that the group has reused Linux REvil code to enhance effectiveness
As reported by The Raven File, Linux file analysis shows an 80% code match with Sodinokibi (also known as REvil) ransomware.
Command and control infrastructure
Research reveals BERT’s infrastructure is hosted on servers controlled by Russian entities. Specifically:
- File storage servers running Apache/2.4.52 (Ubuntu)
- IP address registered in Sweden but under the control of Edinaya Set Limited, a popular Russian provider
- Russian language comments within PowerShell scripts, potentially indicating the threat actors’ origin
Confirmed victims and affected sectors
Victims include organizations within:
- Healthcare: hospitals and clinics
- Technology: development companies and IT services
- Events management: event planning and logistics companies
Infosecurity Magazine confirms that the group has rapidly improved and optimized their ransomware variants since launching.
Why this tactic is revolutionary
Disruption of recovery procedures
Forced shutdown capability marks a significant escalation in ransomware tactics, directly undermining disaster recovery measures organizations rely on during cyber incidents.
Traditional recovery methods often involve:
- Quickly activating backup VMs
- Migrating workloads to alternative hosts
- Maintaining critical operations during an incident
BERT eliminates these options by systematically shutting down all VM processes, according to Dark Reading.
Amplified impact on virtualized environments
Organizations using VMware ESXi hypervisors face particular risk: a compromised hypervisor can affect dozens of VMs simultaneously. This feature makes BERT especially devastating to critical infrastructure.
Immediate security recommendations
Specific protective measures
Cybersecurity experts recommend implementing these protections:
- Isolate ESXi management interfaces from public internet access
- Monitor for unauthorized PowerShell activity, especially loaders like
start.ps1 - Implement immutable, offline backups that cannot be altered during an attack
- Review network segmentation to limit lateral movement
- Strengthen endpoint protections and restrict admin rights
Security best practices
As Trend Micro advises, organizations should:
- Exercise caution with email and web browsing practices
- Avoid downloading attachments or clicking links from unverified sources
- Deploy web filtering to restrict access to known malicious sites
- Keep systems updated with the latest security patches
Future threat landscape
Trend toward specialization
BERT exemplifies a growing trend toward targeted ransomware attacks on virtualized infrastructure. As Undercode News notes, “these are not amateur hackers. They are developers with deep system architecture knowledge and exploit timing.”
Continuous evolution
Perhaps most alarming is BERT’s ongoing evolution. The group has demonstrated the ability to:
- Improve and optimize variants rapidly
- Adapt existing code for new attack vectors
- Develop multi-platform capabilities simultaneously
Conclusion: A new era of targeted threats
BERT Ransomware isn’t just another ransomware; it’s a surgical disruption designed explicitly to maximize operational damage. Its capability to paralyze virtual environments before encryption marks a turning point in cyber threat sophistication.
The question isn’t whether your infrastructure could withstand such an attack but when your organization might be targeted next. In a world where virtualization underpins modern enterprise infrastructure, proactive preparation isn’t optional—it’s a critical survival necessity.
References and sources