How BERT Ransomware Is Shutting Down Virtual Machines and How to Stay Protected in 2025

A new breed of ransomware has entered the global stage — and it’s more destructive than anything we’ve seen in 2025.

First identified in April, the BERT ransomware group (also tracked as Water Pombero by Trend Micro) has rapidly evolved into a serious threat targeting critical infrastructure worldwide — particularly healthcare, IT, and event industries.

What makes BERT different?
It doesn’t just encrypt data — it kills virtual machines (VMs) before encryption, making recovery nearly impossible without strong cyber defenses.

Latest Updates on BERT Ransomware

As of July 2025, BERT ransomware has continued to evolve with new, more aggressive capabilities:

• Trend Micro reports that BERT is now actively targeting organizations in Europe, Asia, and the U.S., with a strong focus on healthcare and tech.
  
  
• Multi-threaded encryption (up to 50 concurrent threads) is still being used to rapidly lock files, especially on Linux systems.
  
  
• New variants have emerged with code structures similar to REvil, skipping the traditional file-mapping phase and jumping straight to encryption using concurrent queues.
  
  
• According to Halcyon.ai, the forced shutdown of ESXi virtual machines is not just to lock data—it’s a deliberate tactic to cripple backup and recovery operations, making ransom payment more likely. It forcefully shuts down VMware virtual machines, crippling disaster recovery systems.

What Makes BERT Ransomware So Dangerous?

Here are some of the standout tactics used by the BERT group:

• Multi-platform Attacks: Simultaneously targets Windows, Linux, and ESXi systems.
  
  
• Forced VM Shutdowns: The Linux/ESXi variant kills virtual machine processes before encrypting files, preventing easy recovery.
  
  
• High-Speed Encryption: On Linux, the malware spawns up to 50 threads at once, drastically speeding up the attack.
  
  
• Targeted Escalation on Windows: BERT uses PowerShell loaders to disable antivirus (like Windows Defender), bypass UAC, escalate privileges, and download its payload—often from servers located in Russia.
  
  

These features confirm that BERT is not amateur malware. It’s been purpose-built to disable critical systems and enforce maximum operational disruption.

Steps to Stay Secure from BERT Ransomware

1. Backup Regularly & Keep Copies Offline
   Use immutable and air-gapped backups to ensure recovery even if VMs are shut down or encrypted.

2. Patch Systems & Update Software
   Keep your operating systems, ESXi hosts, and applications updated to close known vulnerabilities.

3. Restrict Admin Access
   Limit privileges on both Windows and Linux systems. Only authorized personnel should access VM consoles or hypervisors.

4. Monitor VM Behavior & Logs
   Detect abnormal shutdown commands (vim-cmd, esxcli) and unusual script execution across ESXi and Linux systems.

5. Enable Endpoint & Email Security
   Block malicious PowerShell scripts and known ransomware loaders. Use advanced threat protection and email filtering.

6. Isolate and Segment Critical Infrastructure
   Use micro-segmentation to prevent ransomware from moving laterally within virtual environments.

7. Train Your Staff
   Conduct regular cybersecurity awareness sessions to recognize phishing and social engineering.

8. Implement Real-Time Threat Detection Tools
   Use SIEM, EDR, and hypervisor-integrated agents to catch threats early and trigger automated response actions.

9. Use Application Whitelisting & Sandboxing
   Prevent execution of unauthorized apps/scripts and test suspicious files before they can run.

How ThreatSys Secures You Against BERT Ransomware

At ThreatSys, our goal is not just detection—but prevention, response, and recovery. Here’s how we defend your infrastructure against ransomware like BERT:

1. Behavioral Anomaly Detection

We detect and block:

• Suspicious PowerShell commands
  
  
• Malicious script execution
  
  
• Unusual process kills on ESXi (e.g., vim-cmd, esxcli)
  
  

2. Real-Time VM Protection using CYQER

Our hypervisor-integrated agents:

• Monitor for forced VM shutdowns
  
  
• Auto-isolate affected systems
  
  
• Trigger forensic snapshots for investigation
  
  

3. Immutable, Air-Gapped Backups

• Integration with backup tools to create read-only snapshots
  
  
• Even if the ransomware shuts down VMs, backups stay safe
  
  

4. Micro-Segmentation for Virtual Environments

• Limit lateral movement of malware in ESXi
  
  
• Protect access to hypervisors and management consoles
  
  

5. Threat Intelligence & Early Alerts

• We pulled early threat intel on BERT in April through our SOC Product
  
  
• Our threat feeds update clients immediately with zero-day detection rules
  
  

6. Proactive Incident Response Playbooks

• We simulate ransomware shutdown scenarios
  
  
• Our response plans include isolation, recovery, and restoration workflows
  
  

Why Traditional Security Isn’t Enough

BERT doesn’t just lock files. It shuts down your ability to recover.

To defend against modern ransomware threats, you need layered defenses that protect not just files, but virtual systems, behavior, and recovery paths.

Threatsys’s CYQER Capability	BERT Tactic Neutralized
Hypervisor-aware VM isolation	Forced VM shutdowns on ESXi
Immutable backups	Encryption and file destruction
PowerShell behavior detection	Defense evasion via script loaders
Threat intelligence & segmentation	Speedy spread and privileged escalation

Conclusion: Don’t Wait for the Breach—Act Before BERT Strikes