The BERT ransomware group has introduced a new tactic: forcefully shutting down virtual machines on ESXi hosts before encryption. This move not only disrupts business continuity but bypasses common recovery procedures, signaling a critical shift in ransomware strategy.
In the ever-evolving cybersecurity landscape, the BERT ransomware group—also known as “Water Pombero”—has launched a particularly disruptive campaign. Targeting VMware ESXi environments, BERT’s Linux variant is engineered to identify and power down virtual machines (VMs) before triggering encryption, leaving organizations with no immediate fallback for recovery.
This approach marks a technical and strategic turning point: ransomware no longer just encrypts data—it now paralyzes infrastructure at its core.
Shutdown Before Encryption: A Game-Changer
According to a detailed Trend Micro report, BERT uses multithreaded Linux binaries capable of forcefully shutting down all active VMs on an ESXi host before file encryption begins. The aim is clear: neutralize disaster recovery capabilities such as VM snapshots, replication or failover.
Security firm Dark Reading notes that BERT ransomware “effectively wipes out the first line of operational resilience before any data loss occurs.”
David Carrero (Stackscale): “Isolation is no longer optional—it’s foundational”
In a statement to CloudNews Tech, David Carrero, co-founder of Stackscale (Grupo Aire), a European private cloud infrastructure provider, warned of the consequences of leaving hypervisors exposed:
“At Stackscale, we strongly advise against exposing virtualization platforms like ESXi or Proxmox directly to the internet—even for administrative convenience. These management planes must be isolated behind VPNs or private networks by default. Otherwise, you’re effectively giving adversaries the keys to your core infrastructure.”
Carrero emphasizes that this isolation isn’t just a best practice—it’s critical to maintaining control during zero-day scenarios:
“Proper segmentation doesn’t just reduce the attack surface. It gives security teams a crucial time buffer to patch vulnerabilities before they’re weaponized. BERT’s tactic of forced VM shutdown shows that threat actors now aim to break continuity itself, not just steal or encrypt data.”
Economic and Operational Fallout
BERT’s tactic dramatically increases the economic impact of a ransomware attack. When a single compromised ESXi host can take down dozens of virtual servers, the resulting downtime can quickly reach hundreds of thousands of euros per hour, especially in sectors like healthcare, IT services, and logistics.
CISOs across industries have raised concerns that BERT’s strategy renders traditional business continuity plans ineffective. Simply put, if virtual machines are forcibly shut down and encrypted simultaneously, there’s no fallback without hardened, offsite, or immutable backups.
Technical Profile: What Makes BERT Unique?
BERT ransomware is technically sophisticated and tailored for modern hybrid infrastructures:
Linux / ESXi Variant
- Up to 50 concurrent encryption threads
- Automatic VM shutdown via ESXi shell commands
- Custom extensions:
.encrypted_by_berton Linux/ESXi,.encryptedbyberton Windows - Code similarities with REvil and Babuk ESXi lockers (up to 80% code overlap)
Windows Variant
- Delivered via PowerShell-based loaders
- Disables Windows Defender, UAC, and firewalls
- Downloads final payload from servers linked to Russian infrastructure
- Terminates services for databases, web servers, and backup agents before encryption
C2 Infrastructure and Attribution
Researchers have traced BERT’s command and control (C2) infrastructure to Russian-based hosting providers, with evidence such as:
- Apache/2.4.52 on Ubuntu serving encrypted payloads
- IP addresses geolocated in Sweden but administratively linked to Russian firms
- Russian-language comments found in PowerShell scripts
Sectoral Impact
Confirmed BERT victims span the following sectors:
- Healthcare: Hospitals and medical data centers
- IT and software: SaaS and MSP providers
- Event logistics: Companies managing digital infrastructure for large-scale events
Mitigations: Technical and Architectural Recommendations
Infrastructure-level Hardening
- Isolate hypervisor management (ESXi/Proxmox) from public networks
- Use VPNs or software-defined private networks (SDNs)
- Implement offline, immutable backups with strict access policies
- Enforce strict network segmentation to prevent lateral movement
- Update firmware and enable Secure Boot where possible
Operational Security Enhancements
- Monitor for unusual PowerShell activity (e.g.,
start.ps1) - Enable SIEM alerts on ESXi login attempts and config changes
- Lock down ESXi with host lockdown mode and strict RBAC
- Restrict access to vCenter and BMC/iLO/iDRAC interfaces via IP whitelisting
The Bigger Picture: Resilience Now Means More Than Backup
BERT’s tactics signal a new phase in ransomware evolution: one where the attackers don’t just want your data encrypted—they want your systems nonfunctional.
David Carrero underscores the paradigm shift:
“We’re no longer just defending data. We’re defending availability itself. With BERT, even the best backup is irrelevant if your hypervisor is shut down before you can act. Modern infrastructure requires modern isolation strategies—virtualization without segmentation is now a liability.”
Final Thoughts
BERT is not just another ransomware strain—it represents a strategic and architectural threat to how virtualized environments operate. As more organizations adopt VMware, Proxmox, or KVM to scale workloads, the incentive for attackers to target these platforms grows.
The industry must respond by revisiting the foundations of infrastructure security. No exposure should be assumed safe. And in environments where every VM powers critical workloads, isolation, segmentation, and automation must become default defenses, not afterthoughts.
