A newly identified ransomware group, known as BERT, has emerged as a significant threat to virtualized infrastructures, particularly targeting VMware ESXi environments. First detected in April 2025, BERT has rapidly expanded its operations across Asia, Europe, and the United States, focusing on sectors such as healthcare, technology, and event services.
Advanced Virtual Machine Targeting
BERT’s Linux variant exhibits a sophisticated capability to forcibly terminate ESXi virtual machines (VMs) before initiating encryption. This tactic ensures that VMs are inactive during the attack, preventing administrators from swiftly migrating or backing up critical systems. By executing commands that halt all running VM processes on ESXi hosts, BERT maximizes operational disruption.
The ransomware supports up to 50 concurrent threads for rapid encryption, enabling efficient processing of extensive virtualized environments. When launched without specific command-line parameters, the malware automatically shuts down VMs using built-in ESXi commands, indicating a deep understanding of VMware infrastructure.
Multi-Platform Attack Strategy
BERT has developed variants targeting Windows, Linux, and ESXi platforms, allowing for comprehensive attacks across diverse IT environments. On Windows systems, BERT employs PowerShell-based loaders that disable security features such as Windows Defender, firewalls, and User Account Control before downloading the main payload from Russian infrastructure.
Security researchers have identified code similarities between BERT and previously leaked REvil Linux variants, suggesting that BERT may have adapted existing ransomware frameworks to enhance its effectiveness.
Implications for Disaster Recovery
The forced shutdown capability represents a significant escalation in ransomware tactics, directly undermining disaster recovery procedures that organizations rely upon during cyber incidents. Traditional recovery methods often involve quickly spinning up backup virtual machines or migrating workloads to alternate hosts. However, BERT’s approach eliminates these options by systematically terminating all VM processes.
Organizations using VMware ESXi hypervisors face particular risk, as a single compromised hypervisor can affect numerous virtual machines simultaneously. The ransomware appends different file extensions depending on the target platform: .encryptedbybert on Windows systems and .encrypted_by_bert on Linux and ESXi environments.
Mitigation Strategies
To defend against BERT ransomware, organizations should consider the following measures:
– Enhanced Monitoring: Implement monitoring for PowerShell abuse and unauthorized script execution, focusing on loaders that disable security tools.
– Network Segmentation: Isolate ESXi management interfaces to prevent unauthorized access.
– Robust Backup Strategies: Maintain comprehensive and regularly updated backups, ensuring they are stored securely and are not accessible from the primary network.
– Patch Management: Regularly update and patch all systems to address known vulnerabilities.
– Access Controls: Enforce strict access controls and multi-factor authentication to limit the potential for unauthorized access.
By adopting these strategies, organizations can enhance their resilience against BERT ransomware and similar threats targeting virtualized environments.
