Beware of Bert: New ransomware group targets healthcare, tech firms

A new ransomware group has been breaching organizations across Asia, Europe, and the U.S., with victims reported in the healthcare, technology and event services sectors, researchers have found.

The group, calling itself Bert, was first identified in April by researchers at cybersecurity firm Trend Micro, who detailed their findings in a report published Monday. 

The ransomware has infected both Windows and Linux systems, the researchers said. Although the initial access method remains unknown, analysts discovered a PowerShell script  that disables security tools on victims' systems before downloading and executing the ransomware.

Once inside a system, the malware drops a ransom note that reads: “Hello from Bert! Your network is hacked and files are encrypted,” followed by instructions for contacting the attackers to negotiate payment.

Researchers said the ransomware is actively being developed, with multiple variants already observed. While no specific threat actor has been formally linked to the attacks, the use of Russian infrastructure may suggest ties to groups operating in or affiliated with the region. Trend Micro said.

The researchers also noted that Bert may have originated from the Linux variant of REvil, a notorious ransomware gang dismantled in 2021. Although REvil is no longer active, elements of its code appear to have been reused, the researchers said.

Earlier in June, a Russian court sentenced several members of the REvil ransomware gang to five years in prison but released them immediately after the verdict, citing time already served in pre-trial detention. The case was unrelated to REvil’s high-profile ransomware attacks. The defendants were found guilty of trafficking stolen payment data and using malicious software to commit carding fraud.