The recently emerged Bert ransomware group is actively targeting organizations in the US, Asia and Europe using multiple variants and rapidly evolving tactics to evade detection, research from Trend Micro has found.
Bert has been observed targeting organizations since April 2025, with confirmed victims in sectors including healthcare, technology and event services.
The group downloads and executes ransomware from a remote IP address associated with ASN 39134, which is registered in Russia.
“While this alone does not establish attribution, the use of Russian infrastructure may indicate a potential connection to threat actors operating in or associated with the region,” the researchers commented.
Bert, tracked by Trend Micro as Water Pombero, has also targeted both Windows and Linux platforms using different ransomware variants.
The repurposing of familiar tools and code while continuously refining tactics, techniques and procedures is part of a broader trend seen in new ransomware groups.
“As the Bert ransomware group demonstrates, simple tools can lead to successful infections. This highlights how emerging groups do not need complex techniques to be effective − just a reliable path to their goal, from intrusion, exfiltration and ultimately leverage over victims,” they wrote.
An exact initial access method used by the group has not yet been determined.
Bert Ransomware Variants Evolve
The Trend Micro report, published on July 7, noted that Bert has already improved and streamlined its ransomware variants in the short time it has been operating.
An analysis of an infection of a Windows system found that the variant used a straightforward code structure, with specific strings to match and terminate certain processes.
Files were encrypted using the standard AES algorithm. The public key, file extension, and ransom note were easily accessible.
Further investigations into the group identified additional Windows variants uploaded in the wild. These samples were older Bert ransomware versions, lacking the updated encryption methods and function sequences seen in newer versions.
One of the key evolutions observed between the older and newer versions relates to the encryption process. The older version first enumerates the drive and drops its ransom note in every directory before collecting the valid file paths to be encrypted and saving them in an array.
Only after this collection phase does it proceed with multi-threaded encryption.
The newer variants streamline the multi-threaded encryption process by using the data structure ConcurrentQueue and creating a DiskWorker to help process disks on each drive.
This enables the ransomware to begin encrypting files as soon as they are discovered, rather than first storing the file paths in an array before encryption.
In May, the researchers identified a Linux ransomware sample attributed to Bert. This variant used 50 threads to maximize encryption speed, enabling it to quickly encrypt files across the system and minimize the chances of detection or interruption.
It used a command that forced the termination of all running virtual machine processes on the ESXi host.
After encryption, the variant added the extension .encrypted_by_bert and drops the ransom note encrypted_by_bert-decrypt.txt.
“This version uses a JSON-formatted configuration embedded in the binary—a typical trait of most modern ransomware, as it allows for better adaptability and easier customization across different campaigns,” Trend Micro wrote.
The researchers added that the version may be derived from the Linux version of the REvil group, which was originally identified in early 2021 and known for targeting ESXi servers and Linux.
PowerShell Abuse
Another feature of the Bert group’s operations is the frequent use of the legitimate Windows developer tool PowerShell for privilege escalation, defense evasion and to load the ransomware.
Read now: Post-Compromise Security: What to do When the Hackers Get in
For example, a PowerShell script was used to launch a process with elevated (administrator) privileges by using the -Verb RunAs parameter in Start-Process. This parameter explicitly tells Windows to run the executable as an administrator, or when an attacker already has some level of access and wants to elevate to full administrator rights.
PowerShell was also observed disabling domain, public and private firewall profiles using the command Set-NetFirewallProfile.
PowerShell has been increasingly used by threat actors for various post-compromise activities in recent years, including to evade detection and to download additional malware.
“Organizations should closely monitor PowerShell abuse and unauthorized script execution, particularly loaders like start.ps1 that disable security tools and escalate privileges,” the researchers commented.
