A new ransomware group that emerged in April is targeting a range of organizations across the United States, Europe and Asia using double-extortion tactics and aiming at such sectors as health care, tech and events services.

Threat intelligence researchers with Broadcom and Fortra began writing about the new ransomware group, dubbed “Bert,” in May and June, respectively, and this week, Trend Micro analysts added their take on the evolving threat actor and how it reflects trends within the larger ransomware space.

“New ransomware groups will likely continue to emerge, repurposing familiar tools and code, while refining TTPs [tactics, techniques and procedures],” wrote the Trend Micro analysts, who track the bad actor under the name “Water Pombero.” “As the BERT ransomware group demonstrates, simple tools can lead to successful infections. This highlights how emerging groups do not need complex techniques to be effective – just a reliable path to their goal, from intrusion, exfiltration and ultimately leverage over victims.”

Given how new the Bert group is, researchers are still trying to fully define it. The ransomware can be used with both Windows and Linux systems, and there are several variants in the wild, according to Trend Micro researchers.

Multiple Bert Variants

“During our pivoting efforts, we identified additional samples uploaded in the wild,” they wrote. “Analysis revealed that these samples are older versions, lacking the updated encryption methods and function sequences seen in samples from our internal telemetry. These differences indicate that the threat actors are actively developing and refining the ransomware.”

In their report, they detail an example of how the malware is evolving. In an earlier version for Windows systems, it assesses the drives and drops the ransom note in every directory before collecting the valid file paths to be encrypted and saving them in an array. After collecting the file paths, it moves on to multi-threaded encryption.

“In contrast, the new variant uses ConcurrentQueue and creates a DiskWorker on each drive to improve the multi-threaded encryption process,” the researchers wrote. “This enables the ransomware to begin encrypting files as soon as they are discovered, unlike the older version, which first stores the file paths in an array before encryption.”

Windows and Linux Systems Targeted

Researchers from both Trend Micro and Broadcom noted that Bert uses a PowerShell script that acts as a loader for the ransomware payload. To pave the way for the ransomware, the loader escalates privileges and disables Windows Defender, the firewall, and user account control before downloading the ransomware from a remote IP address.

On Linux systems, the ransomware uses up to 50 threats to accelerate encryption and reduce the chance of its efforts to be detected or shut down. In addition, it can forcibly shut down ESXi virtual machines to ramp its impact on the system and further disrupt efforts to recover the encrypted files.

Trend Micro and Forta said the ransom note the group drops starts with “Hello from Bert! Your network is hacked and files are encrypted. We download some important files from your network.” It then gives instructions to victims to contact the group.

Maybe a Russian Group?

The group’s method of gaining initial access is still unknown, with Broadcom analysts writing that the loader acts as “part of the initial access or defense evasion phase in the attack chain.”

Also unclear is the origin of Bert, though Trend Micro analysts wrote that the IP address is associated with a Russian entity, adding that “while this alone does not establish attribution, the use of Russian infrastructure may indicate a potential connection to threat actors operating in or associated with the region.”

Trend Micro researchers also said that their investigation indicates the Bert ransomware may have emerged from the Linux variant of the notorious REvil group, which was shut down by law enforcement in 2021 in an effort that included a range of arrests in Russia of some of its operators. Despite the law enforcement efforts, other groups reused REvil code in their own malware. Trend Micro said that it’s “likely” the Bert operators did the same.

The victims of Bert have varied. Forta researchers wrote that among the organizations targeted are a hospital in Turkey, a U.S. electronics firm, a Malaysian construction company, an IT solutions business in Colombia and a Taiwanese company that makes equipment for semiconductors.