BERT Ransomware, active since March 2025, represents a sophisticated ransomware campaign targeting both Windows and Linux environments. The threat actors behind BERT employ phishing emails as their primary initial access vector, leveraging social engineering to trick users into executing malicious payloads. Once inside a network, the ransomware uses a weaponized PowerShell script to disable security features such as antivirus and endpoint detection and response (EDR) tools, facilitating unhindered payload execution. The Windows variant of BERT ransomware encrypts victim files using RSA encryption and appends multiple file extensions to encrypted files, complicating recovery efforts. The Linux variant shares significant code overlap with the notorious Sodinokibi/REvil ransomware, indicating possible code reuse or collaboration. Communication and ransom negotiations occur via dark web portals and the Sessions encrypted messaging platform, enhancing the attackers' anonymity and operational security. The ransomware primarily targets organizations in the service and manufacturing sectors across multiple countries. The infrastructure supporting BERT ransomware is linked to a Russian firm, suggesting potential geopolitical motivations or origin. Indicators of compromise include numerous file hashes associated with the ransomware binaries and two onion domains used for command and control or negotiation purposes. Although no known exploits are reported in the wild, the campaign's use of phishing and PowerShell-based disabling of defenses indicates a high level of operational sophistication and adaptability across different operating systems.

For European organizations, the BERT ransomware campaign poses a significant threat, especially to service providers and manufacturing companies, which are critical to the European economy. Successful infections can lead to widespread encryption of sensitive data, causing operational disruption, financial losses due to ransom payments or downtime, and potential regulatory penalties under GDPR for data breaches. The dual targeting of Windows and Linux systems increases the attack surface, affecting diverse IT environments common in European enterprises. The disabling of security tools prior to payload execution reduces the likelihood of early detection and mitigation, increasing the risk of extensive lateral movement and data encryption. Additionally, the ransomware's ties to a Russian-linked infrastructure may raise concerns amid current geopolitical tensions, potentially increasing the likelihood of targeted attacks against strategic European industries. The use of strong RSA encryption and code similarities to Sodinokibi/REvil, known for high-impact attacks, further underscores the threat's severity. The campaign's reliance on phishing also exploits human factors, which remain a persistent vulnerability in many organizations.

European organizations should implement a multi-layered defense strategy tailored to the specific tactics of BERT ransomware. First, enhance phishing detection and user awareness training focused on identifying and reporting suspicious emails, emphasizing the risks of executing unknown attachments or links. Deploy advanced email filtering solutions with sandboxing capabilities to detect weaponized PowerShell scripts and other malicious payloads. Harden endpoint security by configuring PowerShell constrained language mode and enabling script block logging to detect and prevent malicious script execution. Regularly update and patch all Windows and Linux systems to reduce vulnerabilities that could be exploited post-initial access. Implement application whitelisting to restrict execution of unauthorized binaries and scripts. Network segmentation should be enforced to limit lateral movement within the environment. Maintain offline, immutable backups of critical data and regularly test restoration procedures to ensure resilience against encryption. Monitor network traffic for connections to known malicious onion domains associated with BERT ransomware and block them at the firewall or proxy level. Employ threat hunting to identify indicators of compromise such as the provided file hashes. Finally, establish an incident response plan that includes coordination with law enforcement and cybersecurity authorities, considering the geopolitical context of the threat.