New ransomware group employs advanced virtualization attack tactics to maximize damage and hinder organizational recovery efforts.<\/p>\n
A newly emerged ransomware group known as BERT<\/a> has introduced a particularly disruptive capability that sets it apart from traditional ransomware operations: the ability to forcibly terminate ESXi virtual machines before encryption, significantly complicating recovery efforts for targeted organizations. <\/p>\n First observed in April 2025, BERT (tracked by Trend Micro as Water Pombero) has quickly established itself as a serious threat to virtualized environments across Asia, Europe, and the United States.<\/p>\n The ransomware\u2019s most concerning feature lies in its Linux variant, which can detect and forcibly shut down ESXi virtual machines<\/a> before proceeding with file encryption. <\/p>\n This tactical approach ensures that virtual machines cannot continue running during the attack, preventing administrators from quickly migrating or backing up critical systems. <\/p>\n The malware executes commands that force the termination of all running VM processes on ESXi hosts, maximizing operational disruption.<\/p>\n Diagram of VMware vSphere architecture showing clients, vCenter Server, application and infrastructure services, and physical enterprise servers, network, and storage\u00a0virtualization.<\/p>\n BERT\u2019s Linux implementation supports up to 50 concurrent threads for rapid encryption, allowing the ransomware to process large virtualized environments efficiently. <\/p>\n When executed without command line parameters, the malware automatically proceeds to shut down virtual machines using built-in ESXi commands, demonstrating sophisticated knowledge of VMware infrastructure.<\/p>\n The ransomware group has developed variants targeting Windows, Linux, and ESXi platforms simultaneously, enabling comprehensive attacks across hybrid IT environments. <\/p>\n On Windows systems, BERT employs PowerShell-based loaders that disable security features including Windows Defender<\/a>, firewalls, and User Account Control before downloading the main payload from Russian infrastructure.<\/p>\n The group\u2019s targeting strategy focuses primarily on healthcare, technology, and event services sectors, with confirmed victims spanning multiple continents. <\/p>\n Security researchers have identified<\/a> connections between BERT\u2019s codebase and previously leaked REvil Linux variants, suggesting the group may have repurposed existing ransomware frameworks for enhanced effectiveness.<\/p>\n The forced shutdown capability represents a significant escalation in ransomware tactics, as it directly undermines disaster recovery procedures that organizations rely upon during cyber incidents. <\/p>\n Traditional recovery methods often involve quickly spinning up backup virtual machines or migrating workloads to alternate hosts, but BERT\u2019s approach eliminates these options by systematically terminating all VM processes.<\/p>\n Organizations using VMware ESXi hypervisors face particular risk, as a single compromised hypervisor can affect dozens of virtual machines simultaneously. <\/p>\n The ransomware appends different file extensions depending on the target platform: \u201c.encryptedbybert\u201d on Windows systems and \u201c.encrypted_by_bert\u201d on Linux and ESXi environments.<\/p>\n Cybersecurity experts recommend implementing enhanced monitoring for PowerShell abuse and unauthorized script execution, particularly focusing on loaders that disable security tools. <\/p>\n Organizations should also consider network segmentation to isolate ESXi management interfaces and implement robust backup strategies that include offline and immutable copies.<\/p>\n The emergence of BERT underscores the evolving sophistication of ransomware operations<\/a> and their increasing focus on virtualized infrastructure. <\/p>\n As organizations continue to consolidate workloads onto virtualization platforms, the potential impact of such targeted attacks will only grow, making proactive defense measures more critical than ever.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now<\/strong><\/a>\u00a0<\/p>\n The post BERT Ransomware Forcibly Shut Down ESXi Virtual Machines to Disrupt Recovery<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAdvanced Virtual Machine Targeting<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhd_eD5wgrmVag10FPQUxUnO1vE8n3voDo2vuMnL9xFelYEwtptfRg4bUMhu8W8eRD8dCIh_4FzwN3xzHfDSuOCS__O1CTersidFn4ElJOgpjA_pHiT43ZtmJz4C3OvvPBbzQChofLCF-7-v6tkRHfZxuExxHwRNwzOAZ4C903_tlDp8EvrKnCucNJ-tC2J\/s16000\/command%2520line%2520ESXi%2520.png?ssl=1\")
<\/figure>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgrTN7aLxifqXrBSdeAZqGCZihSBAbky3c9s4CS9t-AXihya6b7lcpadIU-Fbn-NjLRymv5MiO1LJuLvR9w3eYnZ45ROkT0vva40q90o1bHC3-1o36zXxGJNFfNN9Xmji3cDot16R-mBCmxcjvSarhrA6E58Y9unHbXJal44HK6qn3zSVYof1uBLu9zfDQq\/s16000\/Active%2520Exploitation.png?ssl=1\")
Mitigations<\/strong><\/h2>\n