Date: 07/08/2025
Severity: Critical
Summary
BERT (also known as Water Pombero) is a recently identified ransomware group targeting both Windows and Linux systems, with confirmed attacks in Asia, Europe, and the US. Their victims span healthcare, technology, and event services sectors. BERT employs PowerShell loaders, privilege escalation, and simultaneous file encryption to execute efficient and evasive attacks. On Linux, their ransomware supports up to 50 threads for rapid encryption and can forcibly shut down ESXi VMs to hinder recovery.
Indicators of Compromise (IOC) List
Domains\URLs: | http://185.100.157.74/payload.exe |
Hash : | 1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4
75fa5b506d095015046248cf6d2ec1c48111931b4584a040ceca57447e9b9d71
8478d5f5a33850457abc89a99718fc871b80a8fb0f5b509ac1102f441189a311
b2f601ca68551c0669631fd5427e6992926ce164f8b3a25ae969c7f6c6ce8e4f
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
c7efe9b84b8f48b71248d40143e759e6fc9c6b7177224eb69e0816cc2db393db
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs: | Domainname like "http://185.100.157.74/payload.exe" or url like "http://185.100.157.74/payload.exe" or siteurl like "http://185.100.157.74/payload.exe" |
Hash : | sha256hash IN ("8478d5f5a33850457abc89a99718fc871b80a8fb0f5b509ac1102f441189a311","70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4","c7efe9b84b8f48b71248d40143e759e6fc9c6b7177224eb69e0816cc2db393db","1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326","75fa5b506d095015046248cf6d2ec1c48111931b4584a040ceca57447e9b9d71","b2f601ca68551c0669631fd5427e6992926ce164f8b3a25ae969c7f6c6ce8e4f","bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4")
> |
Reference:
https://www.trendmicro.com/en_us/research/25/g/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms.html