What is the Bert ransomware?

Bert is a recently-discovered strain of ransomware that encrypts victims' files and demands a payment for the decryption key.

Why is it called Bert?

I truly have no idea. Maybe whoever created Bert put all of their efforts into the coding of their ransomware, rather than thinking of its marketing. Or maybe they just really like the name "Bert."

Or maybe the hacker who wrote the malware is called Bert?

Well, that's always possible. It's a shame they didn't put their surname in as well (and their postal address too, so the police could pay them a visit...)

Does Bert exfiltrate data too?

I'm afraid it does appear that way. A leak site exists on the dark web, accessible via Tor, where the hackers behind the Bert attacks list their victims and make it possible for anyone to download the data that has been stolen.

So, if I want my company's data back, I need to make contact with the hackers?

Yes, unless you have a non-corrupted and recent backup of your data, your best bet is to contact the hackers who attacked you as a free decryptor for Bert is not available. In their ransom note the hackers provide a unique ID to allow you to make contact via the Session messeneger app.

Where can I find the ransom note?

The ransom note can be found in folders alongside the encrypted files, and contains a link through which the hackers can be contacted. 

Hello from Bert! 

Your network is hacked and files are encrypted. 

We download some important files from your network.

How will I know which files have been encrypted by the ransomware?

Encrypted files can be easily identified by examining their extension - which will have been appended by ".encryptedbybert" So, for instance, a file originally called 1.jpeg would be renamed 1.jpeg.encryptedbybert

Who has been hit by the Bert ransomware?

In recent weeks Bert has claimed to have stolen information from organisations around the world including a ticket company, a Turkish hospital, an American electronics firm, a Malaysian construction firm, a Columbian IT solutions business, and a Taiwanese company producing equipment for semiconductors.

So, no one can assume they might not be next on the list?

The group's most recent claim is that it has stolen almost 140 GB worth of sensitive information from UK-based S5 Agency World, a global business operating in over 360 ports, providing vessel and cargo services. 

As Cybernews describes, data exfiltrated from S5 Agency World includes details of invoices, email correspondence, inspection reports, employees' COVID-19 vaccinations, copies of passports, and internal corporate documents. There will inevitably be worries that a hacked company in the maritime transportation sector may cause shipment delays and a wider supply-chain bottleneck if not resolved promptly.

What should my business do to defend itself from attacks like Bert?

Our advice is to follow the same recommendations on how to protect your organisation from any other type of ransomware. These include:

• Making secure offsite backups.
• Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
• Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
• Encrypting sensitive data wherever possible.
• Reducing the attack surface by disabling functionality that your company does not need.
• Educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
• Requiring suppliers and business partners to also have strong security in place to reduce the chances of an infection reaching your company via that route.

Stay safe, folks.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.