A new cross-platform ransomware strain, known as BERT, has emerged, posing a significant threat to organizations running VMware ESXi environments. This article explores how BERT ransomware operates, its unique features, and how businesses can defend against it.
What is BERT Ransomware?
First identified in April 2025, BERT ransomware targets Windows, Linux, and ESXi systems. Its primary focus on ESXi virtual machines has raised alarms in the cybersecurity community, as these environments often host critical enterprise applications.
How BERT Ransomware Attacks ESXi
Shutdown of Virtual Machines
BERT executes commands such as esxcli vm process kill to forcibly shut down virtual machines, disrupting business operations and corrupting snapshot backups.
Accelerated Encryption
On Linux and ESXi systems, BERT uses up to 50 threads to quickly encrypt disk images, including .vmdk, .vmem, and .vmsd files.
Destruction of Backups
The ransomware deletes snapshots and logs to hinder recovery efforts, increasing the likelihood of ransom payment.
Technical Details and Origins
Code Similarities
BERT shares code with previous ransomware families like REvil and Babuk, suggesting it is built on repurposed frameworks.
Windows Variant
The Windows version uses PowerShell to disable security features and deploy the ransomware payload via remote servers.
Industries Targeted
BERT has already targeted organizations in sectors including healthcare, technology, and event services. These are all industries heavily reliant on virtual infrastructure.
Indicators of Compromise (IOCs)
- Known malware hashes and command-and-control (C2) IP addresses.
- Unusual ESXi activity, such as mass VM shutdowns or snapshot deletions.
- Disabling of antivirus and endpoint detection tools.
Defense Strategies
To protect against BERT ransomware, organizations should:
- Patch Systems: Apply all critical updates to ESXi, vCenter, and related systems.
- Restrict Access: Enforce multi-factor authentication, limit administrative privileges, and disable unnecessary remote access.
- Secure Backups: Implement immutable, offline backups to ensure recovery even if primary systems are compromised.
- Monitor Systems: Use SIEM and EDR solutions to detect unusual activities, such as mass VM shutdowns or snapshot deletions.
- Conduct Drills: Regularly test incident response and disaster recovery plans.
Final Thoughts
BERT ransomware represents a dangerous evolution in cyber threats by directly targeting the heart of enterprise IT: virtual environments. With proactive defenses and vigilant monitoring, organizations can reduce their exposure to this emerging menace.
Stay informed and prepared, because in cybersecurity, awareness is your first line of defense.
