bert

Also known as: bert

BERT ransomware (also tracked as Water Pombero) first emerged in April 2025, rapidly targeting both Windows and Linux systems across Asia, Europe, and the U.S., with confirmed victims in healthcare, technology, electronics, and event services sectors. Its Windows variant employs a PowerShell-based loader that escalates privileges, disables Defender, UAC, and the firewall, then downloads the ransomware payload. The Linux version aggressively encrypts with up to 50 concurrent threads, forcibly shuts down VMware ESXi VMs to prevent recovery, and appends extensions like .encryptedbybert or .encrypted_by_bert. BERT uses AES encryption, and later variants feature optimized multithreading via ConcurrentQueue and DiskWorker threads. Analysts note code similarities with REvil and Babuk ESXi lockers, potentially pointing to shared development lineage or code reuse.

Introduction

BERT ransomware (also tracked as Water Pombero) first emerged in April 2025, rapidly targeting both Windows and Linux systems across Asia, Europe, and the U.S., with confirmed victims in healthcare, technology, electronics, and event services sectors. Its Windows variant employs a PowerShell-based loader that escalates privileges, disables Defender, UAC, and the firewall, then downloads the ransomware payload. The Linux version aggressively encrypts with up to 50 concurrent threads, forcibly shuts down VMware ESXi VMs to prevent recovery, and appends extensions like .encryptedbybert or .encrypted_by_bert. BERT uses AES encryption, and later variants feature optimized multithreading via ConcurrentQueue and DiskWorker threads. Analysts note code similarities with REvil and Babuk ESXi lockers, potentially pointing to shared development lineage or code reuse.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • PowerDuke:
  • POWERSTATS:
  • Power Loader:
  • POWERSOURCE:
  • Windows Remote Desktop:
  • Revenge-RAT:
  • PowerRAT:
  • CrossRat:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.