A cybercrime group known as BERT has begun targeting organizations across Asia, Europe, and the United States with ransomware attacks that affect both Windows and Linux platforms. Tracked by Trend Micro as ‘Water Pombero,’ BERT has already compromised multiple victims in sectors such as healthcare, technology, and event services since April.
BERT’s tactics include PowerShell-based loaders, privilege escalation techniques, and file encryption. One key tool is a PowerShell script (start.ps1), which disables system defenses, escalates privileges, and downloads the ransomware payload from a remote IP address registered in Russia. While the origin of the group is unclear, the use Russian infrastructure suggests possible links to regional affiliations.
The researchers have also spotted a Linux variant of BERT’s ransomware, which can spin up to 50 threads to accelerate file encryption and force shutdowns of ESXi virtual machines, crippling recovery processes. Trend Micro’s analysis suggests that the group’s ransomware may have been based on ransomware families like REvil and Babuk, known for targeting similar environments.
In terms of evolution, the new version of BERT's Windows variant begins encrypting files immediately as they are found, while the original version delayed encryption until files were fully mapped.
“New ransomware groups will likely continue to emerge, repurposing familiar tools and code, while refining TTPs. As the BERT ransomware group demonstrates, simple tools can lead to successful infections. This highlights how emerging groups do not need complex techniques to be effective—just a reliable path to their goal, from intrusion, exfiltration and ultimately leverage over victims,” the report concludes.
