BERT Ransomware Takes Aim at Linux Systems

You know how it goes—Linux admins have long prided themselves on running systems that ransomware gangs mostly ignored. Sure, the occasional attack would trickle through, but if you were managing Linux environments, you weren’t waking up every other day wondering if your servers had been locked down by some cryptoware. Well, that sense of security is eroding. The BERT ransomware group just changed the game, targeting Linux systems and proving that ransomware gangs have their sights set on servers—and not just the Windows ones. If you’re running Linux setups for web hosting, cloud platforms, or pretty much any enterprise infrastructure, you need to pay attention to what’s happening here.

Starting in May 2025, BERT ransomware shifted gears. Instead of hunting for Windows vulnerabilities alone, it rolled out a Linux variant to wreak havoc. This isn’t a minor redirection—it speaks volumes about where cybercriminals think they’ll get the biggest payouts. Linux machines power critical systems for logistics, healthcare, manufacturing… you name it. If the backbone of an enterprise starts buckling under encryption demands, you’re looking at widespread disruption, costly recovery efforts, and let’s not forget the humiliation of having your data auctioned off on the dark web.

How Does BERT Target Linux? 

Let’s dig into BERT’s playbook, starting with its encryption methods. This Linux ransomware version doesn’t just lock up files; it smothers them with algorithms like AES, RC4 PRGA, Salsa20, and ChaCha. Base64 encoding sweeps in as an extra layer of obfuscation, making decryption even harder to pull off. If you feel like that’s overkill—well, that’s the point. BERT’s architects seem determined to make recovery a nightmare, likely to pressure victims into paying up.

Here’s another unsettling detail: analysts have found that BERT’s Linux variant shares about 80% of its code with Sodinokibi (also known as Revil), one of the nastiest ransomware strains to ever hit enterprise systems. Think of it as cybercriminals recycling some of the most effective tools from their arsenal. BERT isn’t reinventing ransomware—it’s building off processes that have worked in the past to deliver crippling attacks.

And while some might dismiss Powershell as a Windows problem, don’t make the mistake of assuming Linux is immune from its methodologies. On its Windows side, BERT uses Powershell scripts to mess with security controls—disabling Windows Defender or killing User Account Control (UAC). These sorts of privilege-escalating scripts could easily translate into Linux equivalents, targeting crucial services or allowing access to higher permissions. Linux admins can’t afford to write off the possibility of BERT adapting similar techniques tailored for Linux environments.

Time to Rethink Security—Because This Is Getting Real

If you’re managing Linux systems, you’re on the frontlines now. The move to targeting Linux isn’t just opportunistic; it’s strategic. The threat landscape evolved because attackers figured out where critical data lives: web servers, cloud infrastructure, databases, and containers… all running on Linux. This isn’t just ransomware squeezing small businesses for quick cash; this is ransomware going after enterprise-level targets with high-value infrastructure.

Here’s the kicker: many Linux setups fly under the radar when it comes to security. Admins often assume that Linux’s reputation for stability and security makes it inherently safer than Windows. Not anymore. BERT’s move highlights the risks of complacency, especially for sectors like healthcare and logistics, where uptime isn’t just important—it’s vital.

So, what are you supposed to do? Well, first off, you can’t rely on the old “firewall and occasional antivirus” model. BERT isn’t going to care about a weak defense. You need a proactive, multilayered strategy that addresses encryption attempts, privilege escalations, and phishing campaigns—the whole spectrum of attack vectors.

What BERT Ransomware Defense Strategies Actually Work?

Let’s talk action. What you should be doing, not just what sounds good on paper.

Patch Your Systems and Lock Down Access

If you’ve been putting off kernel updates or avoiding system patches, now’s the time to stop procrastinating. Keep everything up to date to limit vulnerabilities. Also, keep access tightly controlled. Root/admin accounts should be under strict watch—use randomized passwords and enable multi-factor authentication (MFA). Don’t treat permissions lightly; overprivileged accounts are a ransomware jackpot.

Oh, and if you haven’t disabled services you’re not using, do it. Running unnecessary daemons or services just opens up more doors for attackers.

Backups That Don’t Get Wrecked

Here’s the thing about backups: they’re only helpful if they actually work. Test them. Make sure your recovery process isn’t just theoretical. And, for goodness’ sake, keep them air-gapped or immutable. If BERT encrypts your backups, too, you’re toast.

Watch Your Network’s Traffic Like a Hawk

Set up intrusion detection systems (IDS) to spot weird traffic patterns or unusual activity. If your servers start connecting to shady IPs—like, say, 185.100.157.74, which is known to deliver BERT’s payload—block it immediately. Segment your network so a breach in one part doesn’t cascade across your entire infrastructure.

Keep an Eye on File Integrity

Attackers are going to target your files, obviously. Use tools that detect unauthorized modifications or sudden spikes in Base64 encoding. Real-time file integrity monitoring can help you spot anomalies before they spiral out of control.

Teach Your Team About Phishing Risks

No matter how solid your tech defenses are, no system is immune to human error. BERT loves phishing to get its foot in the door, so you need to educate staff on how to spot suspicious links and sketchy attachments. Even tech-savvy employees slip up occasionally, so this step is critical.

What Are Signs You Might Be Under Attack?

Detection isn’t perfect, but there are a few red flags admins should watch for. If you see cryptographic libraries like AES, Salsa20, or ChaCha in use, that’s trouble. The sudden appearance of unfamiliar ELF binaries (e.g., something like encrypted_bert.exe) or executables with funky timestamps? Red alert. And don’t ignore weird network traffic to external servers—you know, the kind tied to malicious activity. Better to investigate too early than too late.

The Bigger Picture—and Why Vigilance Pays Off

Here’s the reality: ransomware actors aren’t going to slow down. By shifting to Linux systems, BERT ransomware is effectively declaring war on enterprise environments. They’re betting that you’ll either pay up or spend days—maybe weeks—trying to get your operations back online.

But now? You know their tools, their tactics, and most importantly, the vulnerabilities they’re betting on. You’ve got the opportunity to harden defenses and build resilience into your systems before attackers find their way into yours. Don’t wait for disaster to strike. If something like BERT teaches us anything, it’s that ransomware is a moving target—and ignoring new shifts costs dearly.