BERT: Cross-Platform Ransomware Targeting Linux and ESXi Systems

Here’s the thing: this group (active since April) isn’t just adapting toolkits from dismantled ransomware gangs like REvil and Babuk, but they’ve also figured out how to tweak their methods for maximum disruption. The days of depending on obscurity to avoid trouble are long past—this one operates like it knows your playbook. Let’s break down why this matters, especially for us Linux folks, and what you can actually do about it.

BERT's Linux Playbook: Faster, Smarter, Meaner

So, what’s the deal with the Linux variant of BERT? The short version: it’s fast, versatile, and it’s bringing a serious problem to virtualized environments. The ransomware leverages multithreaded encryption—up to 50 threads—so it can scramble your data faster than you can react. It’s not subtle either. Files hit by the attack get slapped with the .encrypted_by_bert extension, and you’re left staring at a ransom note named encrypted_by_bert-decrypt.txt.

Here’s what makes it nasty in a Linux environment:

• Targeting ESXi virtual machines: BERT doesn’t nibble around the edges—it goes straight for your critical resources. Once it’s on a system, it forcibly shuts down ESXi VMs to ensure maximum downtime. No running VMs means no quick recovery. For any of you who rely on ESXi to manage large-scale virtualized workloads, that's a nightmare scenario.
• Threaded encryption: You can actively pass arguments like --threads when launching the ransomware. This is not some cobbled-together script. It’s modular and customizable, which makes it more effective and harder to predict.
• Configuration baked in: Everything this ransomware needs (public key, ransom note encoding, and so on) is embedded directly in its binary as JSON-formatted configuration data. That means no fiddling around—it's just plug, play, and wreck your day.

And if the architecture feels familiar, it should. Trend Micro has noted code-level similarities to the dismantled REvil and Babuk ransomware gangs, which shows this isn’t built from scratch; instead, it’s a Frankenstein of prior frameworks. That alone should tell you this threat is purposeful, not opportunistic.

The Evolution of BERT (From Clunky to Streamlined)

One of the scariest parts about BERT is how quickly it’s evolving. If we look back at the earlier versions, they were straightforward but sort of limited. The first versions would collect file paths in arrays and then encrypt them sequentially. Not efficient, right?

The newer variants, however, lean on ConcurrentQueue logic and DiskWorkers for each drive. This lets it immediately begin encryption as it detects files. Nothing sits in a static queue—it’s just constant movement. This refinement isn’t just about speed; it’s about limiting your window to stop the process. And that makes it a whole different beast.

Who’s in the Firing Line?

If you’re thinking, This doesn’t affect my setup, maybe think again. Healthcare, tech companies, and event services seem to be the primary targets, but let's be real: if you’re running ESXi or Linux cloud servers, you’re in the territory that BERT is designed to exploit. Hospitals, for instance, often have older systems that virtually guarantee vulnerabilities. Tech outfits rely heavily on virtual machines (think CI/CD pipelines or cloud environments). And event services? Downtime kills them faster than poor ticket sales.

Here’s the kicker: BERT’s campaigns have shown up everywhere—Asia, Europe, the U.S. It’s indiscriminate.

How Can I Build My Defense Line?

So, how do we fight it? The bad news is there’s no magic button to protect yourself from ransomware. The good news? There’s still a lot you can do to reduce your risk and contain incidents if they happen.

Keep Systems Patched

Sure, this feels like an obvious one, but how many times have you glanced at a pending kernel or hypervisor update and said, I’ll handle that later? Don’t. Especially if you’re running VMware ESXi, keeping it patched should be non-negotiable.

Backups, Backups, Backups

Immutable backups (the kind ransomware can’t touch) are your best friend. Store them offline. Test your recovery workflow before you’re panicking and your phone’s ringing off the hook. A backup is useless if you find out too late that it’s incomplete or corrupted.

Control Access Like a Maniac

If your admins all have full access to everything, you’re just asking for trouble. Use role-based access control (RBAC) to enforce least privilege practices. And segment your network—your ESXi servers shouldn’t be sitting in the same environment as day-to-day user machines. Isolate critical stuff as much as you can.

Monitor Weird Activity

Use a SIEM solution to flag anything out of the ordinary—file encryption attempts, random PowerShell processes firing off, or unusual outbound traffic (like the IPs BERT’s been seen pinging). There’s no perfect detection, but proactivity is better than nothing.

Lock Down Virtualization

If you’re running virtual machines, make sure you’ve tightened up the ESXi hosts:

• Disable SSH access.
• Configure ESXi-specific firewalls to block unnecessary traffic.
• Keep an eye out for unexpected VM shutdowns—BERT loves to kill virtualized resources.

Train the Humans

I know, user training gets real old, real fast. But ransomware often gets in because someone clicked a bad link in an email or ran an attachment without thinking. The more suspicious your employees are of emails and weird files, the less likely this stuff is to land in your environment.

Our Final Thoughts: Keep an Eye On This One

Here’s the bottom line: BERT shows how ransomware is targeting Linux and ESXi environments more than ever. We can’t afford to treat ransomware as someone else’s problem, or as something mainly aimed at Windows. The inclusion of multithreaded encryption and the calculated focus on virtualized data centers are clear signals—this group is playing smart and aggressively.

Treat this as your heads-up to scrutinize your security stack, rethink your backups, and assume your systems will eventually be targeted. Whether you’re running Linux at scale in a sprawling enterprise or hosting services on an ESXi cluster, the same principles apply: strengthen everything. Because with adversaries like BERT, you don’t get time for hindsight.