A newly emerged ransomware group known as BERT has introduced a particularly disruptive capability that sets it apart from traditional ransomware operations: the ability to forcibly terminate ESXi virtual machines before encryption, significantly complicating recovery efforts for targeted organizations. The ransomware group has developed variants targeting Windows, Linux, and ESXi platforms simultaneously, enabling comprehensive attacks across hybrid IT environments. The ransomware appends different file extensions depending on the target platform: “.encryptedbybert” on Windows systems and “.encrypted_by_bert” on Linux and ESXi environments. When executed without command line parameters, the malware automatically proceeds to shut down virtual machines using built-in ESXi commands, demonstrating sophisticated knowledge of VMware infrastructure. Security researchers have identified connections between BERT’s codebase and previously leaked REvil Linux variants, suggesting the group may have repurposed existing ransomware frameworks for enhanced effectiveness. The ransomware’s most concerning feature lies in its Linux variant, which can detect and forcibly shut down ESXi virtual machines before proceeding with file encryption. Traditional recovery methods often involve quickly spinning up backup virtual machines or migrating workloads to alternate hosts, but BERT’s approach eliminates these options by systematically terminating all VM processes. On Windows systems, BERT employs PowerShell-based loaders that disable security features including Windows Defender, firewalls, and User Account Control before downloading the main payload from Russian infrastructure. Organizations using VMware ESXi hypervisors face particular risk, as a single compromised hypervisor can affect dozens of virtual machines simultaneously. The forced shutdown capability represents a significant escalation in ransomware tactics, as it directly undermines disaster recovery procedures that organizations rely upon during cyber incidents. BERT’s Linux implementation supports up to 50 concurrent threads for rapid encryption, allowing the ransomware to process large virtualized environments efficiently. New ransomware group employs advanced virtualization attack tactics to maximize damage and hinder organizational recovery efforts. This tactical approach ensures that virtual machines cannot continue running during the attack, preventing administrators from quickly migrating or backing up critical systems.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Jul 2025 06:50:11 +0000