BERT ransomware has emerged as a sophisticated threat particularly engineered to target VMware ESXi virtualization infrastructure, forcing immediate shutdowns of virtual machines before encrypting critical system files using AES algorithms. This virtualization-aware malware strain first appeared in April 2025, thereafter impacting organizations across healthcare, technology, and construction sectors globally.
BERT ransomware specifically targets VMware ESXi systems, shutting down virtual machines before encrypting files with sophisticated AES encryption methods.
The ransomware employs a methodical attack sequence designed to maximize operational disruption and eliminate recovery options. Initially, BERT executes the `esxcli vm process kill` command to forcibly power off all active virtual machines running on compromised ESXi hosts. This forced shutdown strategy deliberately invalidates live snapshots, effectively undermining standard disaster recovery protocols that organizations typically rely upon for rapid restoration.
Following VM termination, the malware targets underlying virtual disk and configuration files for encryption, utilizing multi-threaded processing capabilities with up to 50 concurrent threads. This approach allows rapid file locking across Linux-based systems during evasion of detection mechanisms. The ransomware particularly disables snapshot-based backup and recovery workflows, creating additional barriers to data restoration without ransom payment.
BERT demonstrates notable technical sophistication through its dual-platform capabilities. Windows variants employ PowerShell-based loaders for privilege escalation and security control disabling, while Linux versions utilize ConcurrentQueue and disk workers for real-time encryption as files are identified. Recent variants show evolutionary improvements in encryption efficiency between versions. The threat group employs double-extortion tactics to maximize pressure on victims and increase the likelihood of ransom payment.
Threat actors gain initial access through exploiting unpatched vulnerabilities and utilizing stolen or brute-forced credentials. Security researchers have identified potential linkages to Russian threat actor infrastructure, with possible code lineage from Linux variants of the REvil ransomware group. The group operates under various aliases, including “Water Pombero,” targeting victims across the United States, Europe, Asia, and Latin America. Attackers frequently leverage weak SSH passwords alongside compromised vCenter credentials to establish their initial foothold in target environments.
Organizations face immediate operational challenges when BERT strikes, as the streamlined encryption process occurs before defensive measures can be enacted. Key indicators include sudden VM shutdowns, loss of access to VM files, abnormal shell commands in ESXi hosts, and ransom notes typically stating “Hello from Bert Your network is hacked and files are encrypted.”
