How BERT Ransomware Targets ESXi VMs, Hindering Recovery by Forcibly Shutting Them Down

In a worrying escalation for enterprise IT security, the newly emerged ransomware group “BERT,” also tracked as Water Pombero, has begun targeting organizations across Asia, Europe, and the United States.

The group’s rapid adoption of multithreaded ransomware variants for both Windows and Linux, particularly their aggressive tactics against ESXi virtual machines (VMs), has heightened the risk to data centers and critical infrastructure.

Simple Code, Ruthless Impact

Unlike some ransomware actors that rely on complex and stealthy code, BERT’s approach is defined by simplicity and ruthless efficacy.

On both Windows and Linux, their malware quickly finds and encrypts files, using multi-threading to maximize speed and reduce the window for defenders to intervene.

On Linux systems, BERT supports up to 50 concurrent threads for encryption, making it one of the faster ransomware threats in the wild.

A notable detail is BERT’s PowerShell-based loaders for Windows. These scripts escalate privileges, disable security controls such as Windows Defender and firewalls, and execute the ransomware payload.

For initial access, the ransomware is often retrieved from Russian-hosted infrastructure, with the PowerShell scripts containing Russian language comments a possible clue about its operators’ origins.

Targeting ESXi VMs: Forcing Shutdowns to Maximize Damage

BERT’s Linux variant is especially dangerous for organizations running server virtualization. When executed on compromised hosts, the ransomware uses administrative commands (e.g., esxcli vm process kill) to forcibly terminate all running virtual machines on an ESXi server. This tactic achieves two devastating objectives:

1. Halts Business Operations: By abruptly shutting down VMs, BERT disrupts active services, resulting in an immediate business impact.
2. Obstructs Recovery Efforts: Shutdowns can corrupt active snapshots and hinder backup solutions, significantly complicating post-attack data recovery.

After shutting down the VMs, BERT quickly encrypts files and appends the extension .encrypted_by_bert, leaving a ransom note (encrypted_by_bert-decrypt.txt) in affected directories.

Its configuration, embedded as a JSON object within the binary, allows flexibility and rapid redeployment in future campaigns a hallmark of modern ransomware design.

Defending Against BERT: Proactive Measures Required

Security experts urge organizations to adopt layered defenses against threats like BERT.

Recommendations include restricting administrative access, segmenting and hardening ESXi hypervisors, monitoring for unauthorized PowerShell and script execution, and maintaining offline, immutable backups.

The continued success of BERT highlights that even simple tools can be highly effective in the hands of determined attackers, making vigilance and robust incident response plans critical for modern enterprises.

As BERT continues to refine its tactics, its ability to disrupt virtualized environments by targeting ESXi hosts stands as a stern warning for organizations everywhere: virtualization is not a silver bullet, and securing it is critical in the age of ransomware.

Indicators of Compromise (IoC)