The BERT ransomware group, first detected in April 2025 but active since mid-March, has expanded its reach from targeting Windows environments to launching sophisticated attacks on Linux machines as of May 2025.
Initially spotted through phishing campaigns, BERT has evolved into a formidable adversary by deploying weaponized ELF (Executable and Linkable Format) files tailored for Linux systems.
This shift underscores a strategic intent to exploit vulnerabilities across diverse operating systems, posing a significant risk to global enterprises reliant on Linux for critical infrastructure.
Windows to Linux
Technical analysis of BERT’s Linux variant reveals an alarming 80% code-base similarity with the infamous Sodinokibi (REvil) ransomware, suggesting a reliance on proven malicious frameworks for rapid deployment.
The Linux samples employ a mix of encryption algorithms including AES, RC4 PRGA, Salsa20, and ChaCha, with data further obfuscated using Base64 encoding.
Additionally, the AWK command is leveraged to query system registries, enabling stealthy operations.
In contrast, BERT’s Windows variant, compiled using .NET, encrypts files with RSA via WinAPI and appends unique extensions such as “encryptedbybert” and “encrypted_bert.”
The ransomware leaves behind a concise ransom note named “note.txt,” a departure from the generic naming conventions seen in other strains.
Advanced Encryption Tactics
According to The Raven File Report, the group’s operational sophistication extends to its initial attack vector, utilizing a weaponized PowerShell script hosted at http://185.100.157.74/start.ps1.
This script disables critical security mechanisms like Windows Defender, Real-Time Protection, and User Account Control (UAC) by manipulating registry entries, while also downloading a malicious payload (payload.exe) from the same Swedish-mapped server, ultimately traced to a Russian firm, Edinaya Set Limited.
This infrastructure choice highlights BERT’s tactic of blending malicious traffic within regions known for lax cyber enforcement.
BERT’s dark web presence is facilitated through dedicated onion domains for data leaks and victim communication, with ransom demands typically made in Bitcoin (BTC), as evidenced by a negotiation sample requesting 1.5 BTC.
Victim data is leaked in zipped archives labeled sequentially as “part1,” “part2,” and so on, hosted on servers running Apache/2.4.52 (Ubuntu).
Geographically, the United States leads as the primary target, followed by the UK, Malaysia, Taiwan, Colombia, and Turkey, with the service and manufacturing sectors bearing the brunt of attacks.
Sample analysis of BERT’s malware, including six Windows EXE files and two Linux ELF files, reveals deliberate timestamp manipulation in most files, projecting future dates like 2047 or 2076 to evade detection.
One sample, however, bears a legitimate timestamp of May 20, 2025, aligning with the group’s intensified activity.
File names such as “newcryptor.exe” and “bert11” are prevalent, indicating a consistent branding of their malicious toolkit.
As BERT continues to refine its cross-platform attack strategy, leveraging both self-coded Windows executables and REvil-derived Linux payloads, cybersecurity teams must prioritize multi-layered defenses and robust monitoring to mitigate this evolving threat.
The group’s ability to adapt and weaponize diverse environments signals a pressing need for heightened vigilance across industries.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
