Threat analysis by The RabitaNoor (RBTN) Cyber Research Center
BERT Ransomware Expands to Linux with Weaponized ELF Files
The goals of this document is to provide technical and strategic analysis of a much larger document, audio etc.
The document is a product of the RBTN - CYOI Pulpit
Photo by Yeshi Kangrang
Document Summary
The BERT ransomware group, active since mid-March 2025, has expanded its attacks from Windows to Linux systems using weaponized ELF files. Initially detected in April 2025, BERT's Linux variant shares 80% code similarity with Sodinokibi (REvil) ransomware. The group employs encryption algorithms like AES, RC4, Salsa20, and ChaCha, with Base64 encoding for obfuscation. A PowerShell script hosted at http://185.100.157.74/start.ps1 disables security mechanisms and downloads a payload from a server linked to Russian firm Edinaya Set Limited. BERT's dark web presence facilitates ransom demands in Bitcoin, with data leaks hosted on Apache servers. The US, UK, Malaysia, Taiwan, Colombia, and Turkey are primary targets, with the service and manufacturing sectors most affected. Timestamp manipulation is used for evasion, with file names like 'newcryptor.exe' and 'bert11' indicating consistent branding.
Analysis
Overview
Timestamp: 2025-07-29
Title: BERT Ransomware Expands to Linux with Weaponized ELF Files
Severity: High
The BERT ransomware group is a sophisticated adversary targeting both Windows and Linux systems. They employ advanced encryption techniques and leverage infrastructure linked to Russian firm Edinaya Set Limited. Their operations are financially motivated, with ransom demands in Bitcoin. BERT's attacks primarily target the service and manufacturing sectors in the US, UK, and other countries, posing a significant risk to enterprises relying on Linux and Windows systems.
Adversary
Adversary: The BERT ransomware group is a sophisticated adversary targeting both Windows and Linux systems.
Motivation: Financial gain through ransom demands in Bitcoin.
Sophistication: High, with cross-platform capabilities and advanced evasion techniques.
TTPs:
- Phishing campaigns
- Weaponized ELF files
- PowerShell scripts
Capability
Capability: BERT employs advanced encryption and evasion techniques across multiple platforms.
Tools: PowerShell, AWK command
Evasion: Disabling security mechanisms, Base64 encoding
Infrastructure
Description: BERT uses a blend of malicious infrastructure, including servers linked to Russian firm Edinaya Set Limited.
C2 Servers: http://185.100.157.74
IPs: 185.100.157.74
Hosting Providers: Edinaya Set Limited
Communication Protocols: HTTP, Dark web onion domains
Victim Profile
Targets: BERT targets global enterprises, particularly in the service and manufacturing sectors.
Industry: Service, Manufacturing
Assets: Linux systems, Windows systems
Data at Risk: Critical infrastructure data
Impact: High