Full Report
Trend Micro has observed the Bert ransomware group in operation since April 2025, with confirmed victims in sectors including healthcare, technology and event services
Analysis Summary
# Threat Actor: Bert Ransomware Group / Water Pombero (Trend Micro Tracking)
## Attribution & Identity
* **Identification:** Recently emerged ransomware group.
* **Attribution Notes:** Downloads are sourced from a remote IP address associated with **ASN 39134**, which is registered in Russia. Researchers note this *may* indicate a potential connection to actors operating in or associated with the region, but this alone does not establish definitive attribution.
* **Known Aliases and Associated Groups:** Tracked by Trend Micro as **Water Pombero**.
## Activity Summary
The Bert ransomware group has been actively targeting organizations globally since April 2025. They utilize multiple ransomware variants and are rapidly evolving their TTPs to evade detection. Their operations have been observed across the US, Asia, and Europe. The group's evolution shows they are currently effective using simple tools, focusing on a reliable path to achieve their objectives (intrusion, exfiltration, and leverage).
## Tactics, Techniques & Procedures
* Rapidly evolving tactics, techniques, and procedures (TTPs).
* Repurposing familiar tools while continuously refining operations.
* Execution of ransomware variants targeting both Windows and Linux platforms.
* Focus on a reliable path to intrusion, data exfiltration, and ultimately leveraging the victim.
* **Initial Access Method:** Exact method is currently undetermined.
## Targeting
* **Sectors:** Healthcare, Technology, and Event Services.
* **Geography:** Global reach, specifically observed targeting organizations in the US, Asia, and Europe.
* **Victims:** Specific organizations are not detailed in the summary, only the sectors targeted.
## Tools & Infrastructure
* **Malware Families Used:** Multiple variants of the Bert ransomware, capable of targeting **Windows and Linux** platforms.
* **Infrastructure (C2, domains, IPs):** Ransomware execution is downloaded from a remote IP address associated with **ASN 39134** (Russian registration).
## Implications
The emergence of Bert highlights that new ransomware groups do not require highly complex techniques to be effective; reliability and continuous adaptation of simpler methods are sufficient to achieve successful ransomware deployment and extortion. The multi-platform capability (Windows/Linux) increases their potential impact across diverse organizational environments.
## Mitigations
* Implement robust detection and response mechanisms capable of identifying evolving TTPs, especially those utilizing familiar tools.
* Ensure comprehensive coverage (EDR/XDR) for both Windows and Linux endpoints, given the observed multi-platform targeting.
* Given the reliance on establishing a "reliable path," focus on hardening common initial access vectors, even if the exact primary vector is currently unknown.