Bert Ransomware Strikes Healthcare and Tech Firms Worldwide

Bert, a new ransomware group, is attacking healthcare and tech firms globally with fast, stealthy malware affecting both Windows and Linux systems.

A new ransomware group known as “Bert” is attacking organizations across Asia, Europe, and the United States, with confirmed victims in healthcare, technology, and event services, as reported on Monday by Trend Micro.

First identified in April, Bert has gained attention because of its fast development and its ability to attack multiple platforms, and ties to older ransomware groups like REvil.

The malware operates both on Windows and Linux platforms via a PowerShell script that disables security tools before executing the ransomware download.  Victims receive a blunt message: “Hello from Bert! Your network is hacked and files are encrypted.”

The Trend Micro researchers describe the group’s code as basic yet powerful.On Linux, for example, Bert can use up to 50 threads to encrypt files quickly. It even shuts down ESXi virtual machines to maximize damage and make recovery harder. On Windows, it terminates processes tied to web servers and databases before encrypting data.

The ransomware adds “.encrypted_by_bert” as a file extension to encrypted files, while creating a ransom note that includes payment information. The analysis of multiple samples shows that Bert is continuously developing, where its latest versions encrypt the ransomware files immediately after detection instead of collecting file paths first.

The researchers believe the group obtained their Linux variant code from REvil’s Linux version after the notorious gang was dismantled in 2021. The Russian-registered Bert server contains Russian-language comments which suggest possible involvement of regional actors but no official group has been identified.

Experts warn that Bert’s rise highlights how even basic malware can be dangerous when paired with stealthy techniques and strategic targeting.