How BERT Ransomware Targets ESXi VMs, Hindering Recovery by Forcibly Shutting Them Down

In a worrying escalation for enterprise IT security, the newly emerged ransomware group “BERT,” also tracked as Water Pombero, has begun targeting organizations across Asia, Europe, and the United States.

The group’s rapid adoption of multithreaded ransomware variants for both Windows and Linux, particularly their aggressive tactics against ESXi virtual machines (VMs), has heightened the risk to data centers and critical infrastructure.

Simple Code, Ruthless Impact

Unlike some ransomware actors that rely on complex and stealthy code, BERT’s approach is defined by simplicity and ruthless efficacy.

On both Windows and Linux, their malware quickly finds and encrypts files, using multi-threading to maximize speed and reduce the window for defenders to intervene.

On Linux systems, BERT supports up to 50 concurrent threads for encryption, making it one of the faster ransomware threats in the wild.

A notable detail is BERT’s PowerShell-based loaders for Windows. These scripts escalate privileges, disable security controls such as Windows Defender and firewalls, and execute the ransomware payload.

For initial access, the ransomware is often retrieved from Russian-hosted infrastructure, with the PowerShell scripts containing Russian language comments a possible clue about its operators’ origins.

Targeting ESXi VMs: Forcing Shutdowns to Maximize Damage

BERT’s Linux variant is especially dangerous for organizations running server virtualization. When executed on compromised hosts, the ransomware uses administrative commands (e.g., esxcli vm process kill) to forcibly terminate all running virtual machines on an ESXi server. This tactic achieves two devastating objectives:

1. Halts Business Operations: By abruptly shutting down VMs, BERT disrupts active services, resulting in an immediate business impact.
2. Obstructs Recovery Efforts: Shutdowns can corrupt active snapshots and hinder backup solutions, significantly complicating post-attack data recovery.

After shutting down the VMs, BERT quickly encrypts files and appends the extension .encrypted_by_bert, leaving a ransom note (encrypted_by_bert-decrypt.txt) in affected directories.

Its configuration, embedded as a JSON object within the binary, allows flexibility and rapid redeployment in future campaigns a hallmark of modern ransomware design.

Defending Against BERT: Proactive Measures Required

Security experts urge organizations to adopt layered defenses against threats like BERT.

Recommendations include restricting administrative access, segmenting and hardening ESXi hypervisors, monitoring for unauthorized PowerShell and script execution, and maintaining offline, immutable backups.

The continued success of BERT highlights that even simple tools can be highly effective in the hands of determined attackers, making vigilance and robust incident response plans critical for modern enterprises.

As BERT continues to refine its tactics, its ability to disrupt virtualized environments by targeting ESXi hosts stands as a stern warning for organizations everywhere: virtualization is not a silver bullet, and securing it is critical in the age of ransomware.

Indicators of Compromise (IoC)

SHA256	Detection	Description
1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326	PUA.Win32.DefenderControl.B	Tool used to disable antivirus protection
70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4	PUA.Win64.ProcHack.B	Process Hacker binary used for process manipulation
75fa5b506d095015046248cf6d2ec1c48111931b4584a040ceca57447e9b9d71	Ransom.MSIL.TREB.YPFDUT	BERT ransomware (Windows binary, new variant)
8478d5f5a33850457abc89a99718fc871b80a8fb0f5b509ac1102f441189a311	Ransom.MSIL.TREB.SMYPFDUT	BERT ransomware (Windows binary)
b2f601ca68551c0669631fd5427e6992926ce164f8b3a25ae969c7f6c6ce8e4f	Trojan.PS1.POWLOAD.THEBIBE	PowerShell script that downloads and executes BERT ransomware