Full Report
Organizations on multiple continents — particularly in the health and tech sectors — have been breached by a ransomware group calling itself Bert, according to researchers at Trend Micro.
Analysis Summary
# Threat Actor: Bert Ransomware Group
## Attribution & Identity
* **Identification:** A new ransomware group identified first in April by Trend Micro researchers.
* **Aliases/Groups:** The group calls itself "Bert." Analysts note potential linkages to the dismantled **REvil** ransomware gang, suggesting Bert may have originated from or reused code from the Linux variant of REvil.
* **Suspected Affiliation:** Use of Russian infrastructure suggests possible ties to actors operating in or affiliated with that region.
## Activity Summary
* **Historical Activities:** First identified in April 2025. The group is actively developing its ransomware, with multiple variants already observed.
* **Recent Campaigns:** Breaching organizations across Asia, Europe, and the U.S.
## Tactics, Techniques & Procedures
* **Initial Access:** Unknown, but post-access activity involves a specific deployment method.
* **Defense Evasion:** Deploys a PowerShell script to disable security tools on victim systems.
* **Execution/Impact:** Downloads and executes the ransomware payload, which targets both Windows and Linux systems.
* **Impact/Extortion:** Drops a ransom note reading: "Hello from Bert! Your network is hacked and files are encrypted," instructing victims on payment negotiation.
* **Code Reuse:** Observed code reuse suggestive of the Linux variant of the REvil ransomware.
## Targeting
* **Sectors:** Healthcare, technology, and event services sectors.
* **Geography:** Victims reported in Asia, Europe, and the U.S.
* **Victims:** General mention of organizations within the targeted sectors; no specific organization names provided in the summary.
## Tools & Infrastructure
* **Malware Families Used:** Bert ransomware (actively developed, cross-platform, Windows and Linux variants observed).
* **Infrastructure:** Mention of the use of Russian infrastructure, though specific C2 details are not provided.
## Implications
Bert represents a rapidly developing, active ransomware threat capable of targeting diverse operating systems (Windows/Linux) across multiple global regions. Its potential lineage from REvil suggests a baseline level of sophistication, and its active development indicates an evolving threat profile.
## Mitigations
* Implement robust monitoring for the execution of PowerShell scripts attempting to disable security tools.
* Ensure comprehensive coverage and up-to-date protection for both Windows and Linux endpoints, as Bert targets both platforms.
* Review and assess systems for any artifacts or code similarities associated with legacy REvil operations if previous compromises are suspected.