A newly emerged ransomware group known as BERT has introduced a particularly disruptive capability that sets it apart. The group has the ability to forcibly terminate ESXi virtual machines before encryption, significantly complicating recovery efforts. First observed in April 2025, BERT has quickly established itself as a serious threat to virtualized environments. It has targeted organizations across Asia, Europe, and the United States with its sophisticated ransomware attacks. This represents a concerning evolution in ransomware tactics, demanding immediate attention from organizations that use virtualized server infrastructure.
The ransomware’s most concerning feature lies in its sophisticated Linux variant, which can detect and forcibly shut down virtual machines. This tactical approach ensures that virtual machines cannot continue running during the attack, preventing quick recovery actions. It prevents system administrators from quickly migrating or backing up their critical systems to another secure location. The malware executes commands that force the termination of all running VM processes on the targeted ESXi hosts. This is designed to maximize the operational disruption and damage to the victim’s business and IT infrastructure.
The BERT ransomware group has developed variants targeting Windows, Linux, and ESXi platforms, enabling comprehensive attacks.
On Windows systems, BERT employs PowerShell-based loaders that disable security features like Windows Defender and firewalls. The group’s targeting strategy focuses primarily on the healthcare, technology, and also the event services sectors. Security researchers have identified connections between BERT’s codebase and previously leaked REvil Linux ransomware variants. This suggests the group may have repurposed existing ransomware frameworks for enhanced effectiveness in their new campaigns.
The forced shutdown capability represents a significant escalation in modern ransomware tactics used by many different groups. It directly undermines disaster recovery procedures that organizations rely upon during these types of cyber incidents. Traditional recovery methods often involve quickly spinning up backup virtual machines, but BERT’s approach eliminates these options. Organizations that are using VMware ESXi hypervisors face a particular risk from this new ransomware group. Cybersecurity experts recommend implementing enhanced monitoring for PowerShell abuse and also unauthorized script execution on corporate networks.
Reference:
