BERT Ransomware's First Moves: Kill the VMs, Kill the Backups

The BERT ransomware group, first identified in April 2025, is an aggressive threat actor targeting hybrid IT environments across Asia, Europe, and the U.S., with confirmed victims in healthcare, technology, and event services.

What sets BERT apart is its deep technical understanding of virtualized infrastructure—particularly VMware ESXi, Cybersecurity News reports.

The Linux variant of BERT can automatically identify and forcibly shut down all active virtual machines on ESXi hosts using native management commands. This pre-encryption kill-switch tactic ensures maximum disruption and denies defenders the opportunity to back up or migrate workloads before data is locked.

BERT’s Linux implementation is multithreaded, supporting up to 50 concurrent threads to accelerate encryption in large-scale environments. It leverages a JSON-based configuration file embedded directly into the binary and uses a ConcurrentQueue architecture to immediately process files as they are discovered. Each detected volume triggers a separate DiskWorker thread, optimizing throughput and enabling encryption to begin instantly.

The Windows version is delivered via a PowerShell loader (start.ps1) that first escalates privileges and disables core security functions, including Windows Defender, firewall policies, and User Account Control.  

It downloads the main payload from Russian infrastructure, terminates high-value services like MSSQL, Apache, and VMware components, and executes AES-based file encryption. File extensions appended are “.encryptedbybert” for Windows, and “.encrypted_by_bert” for Linux and ESXi.

Researchers have found Russian-language comments in the code and links to leaked REvil Linux source, suggesting the group repurposed and upgraded existing ransomware frameworks. BERT’s ESXi shutdown capability and rapid multithreaded encryption mark a tactical evolution designed to cripple virtualization-heavy enterprises.

Takeaway: BERT isn’t just a new name; it’s a wake-up call. These attackers are investing in better tools, faster execution and deeper disruption—BERT is a prime example of how ransomware operators are evolving with purpose. These aren’t smash and grab operations anymore; this is targeted sabotage engineered for maximum disruption.  

BERT’s ability to forcibly shut down ESXi virtual machines before encryption starts is a tactical gut punch. It doesn’t just lock up your data. It neutralizes your ability to respond. No quick VM snapshots. No instant failover. No restoring from live backups. The first move is to kill everything, and that means the clock starts ticking with zero options on the table.

The Linux variant is designed for speed and scale. It can run up to 50 concurrent threads using a built-in JSON config and queuing architecture that allows it to start encrypting files the moment they’re discovered. It is efficient, streamlined, and clearly built by operators who understand enterprise environments.  

On the Windows side, the attack starts with a PowerShell loader that disables critical defenses like Windows Defender, firewalls, and UAC, then downloads the payload from Russian infrastructure. It terminates core services like SQL, Apache, and VMware to maximize the blast radius.

The business impact is enormous. Virtualized environments are the backbone of modern operations. One compromised ESXi host can take out dozens of VMs supporting critical services like finance, logistics, HR, and customer-facing applications.  

Recovery becomes a nightmare. Even if backups exist, they are often on the same infrastructure that was just shut down and encrypted. That’s downtime you can’t afford, reputational damage you can’t undo, and recovery costs that spiral out of control.

If your defenses aren’t being engineered to match that level of aggression—network segmentation, offline backups, proactive detection—you are not prepared. This is the new normal. Plan for it.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.