BERT Ransomware Group Targets Asia and Europe on Multiple Platforms | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms.html\"><br \/>\n<meta property=\"og:title\" content=\"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms\"><br \/>\n<meta property=\"og:description\" content=\"BERT is a newly emerged ransomware group that pairs simple code with effective execution\u2014carrying out attacks across Europe and Asia. In this entry, we examine the group\u2019s tactics, how their variants have evolved, and the tools they use to get past defenses and speed up encryption across platforms.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms.JPG\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms\"><br \/>\n<meta name=\"twitter:description\" content=\"BERT is a newly emerged ransomware group that pairs simple code with effective execution\u2014carrying out attacks across Europe and Asia. In this entry, we examine the group\u2019s tactics, how their variants have evolved, and the tools they use to get past defenses and speed up encryption across platforms.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms.JPG\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.083454419104\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"828560140\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"13.5\">\n<div class=\"article-details\" role=\"heading\" readability=\"47\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">BERT is a newly emerged ransomware group that pairs simple code with effective execution\u2014carrying out attacks across Europe and Asia. In this entry, we examine the group\u2019s tactics, how their variants have evolved, and the tools they use to get past defenses and speed up encryption across platforms.<\/p>\n<p class=\"article-details__author-by\">By: Don Ovid Ladores, Nathaniel Morales, Maristel Policarpio, Sophia Nilette Robles, Sarah Pearl Camiling, Ivan Nicole Chavez <time class=\"article-details__date\">July 07, 2025<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div>\n<div class=\"richText\">\n<div>\n<h2><span class=\"body-subhead-title\">Key Takeaways<\/span><\/h2>\n<ul>\n<li><span class=\"rte-red-bullet\">BERT (tracked by Trend Micro as Water Pombero) is a newly emerged ransomware group targeting both Windows and Linux platforms, with confirmed victims in Asia, Europe, and the US, particularly across healthcare, technology, and event services sectors.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The group\u2019s tactics include PowerShell-based loaders, privilege escalation, and concurrent file encryption, allowing them streamlined attack execution and evasion despite their reliance on a simple codebase.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">On Linux systems, BERT\u2019s ransomware variant supports up to 50 threads for fast encryption and can forcibly shut down ESXi virtual machines to maximize impact and disrupt recovery efforts.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Trend Vision One\u2122 detects and blocks the indicators of compromise (IOCs) related to BERT. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on BERT.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.70652173913\">\n<div readability=\"17.608695652174\">\n<p>In April, a new <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/definition\/ransomware\" target=\"_self\">ransomware<\/a> group known as BERT, has been observed targeting organizations across Asia and Europe. Trend\u2122 Research telemetry has confirmed the emergence and activity of this ransomware.<\/p>\n<p>This blog entry examines BERT\u2019s tools and tactics across multiple variants. By comparing its different iterations, we unpack how the ransomware group operates, how their methods have evolved, and the tactics they employed to evade detection and defenses.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig1_bert_ransom_note.png\" alt=\"Figure 1. BERT ransom note\"> <\/p>\n<p><figcaption>Figure 1. BERT ransom note<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<h2><span class=\"body-subhead-title\">Victimology<\/span><\/h2>\n<p>We found initial incidents impacting organizations in the US and parts of Asia. Affected sectors include healthcare, technology, and event services. More recently, we discovered this ransomware emerging in our telemetry, indicating an expansion in its targeting activity. There have already been several victims since it first emerged in April.<\/p>\n<h2><span class=\"body-subhead-title\">BERT on Windows systems<\/span><\/h2>\n<p>The BERT ransomware group employs a straightforward code structure in its Windows variant. It uses specific strings to match and terminate certain processes.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"7.5\">\n<figure class=\"image-figure\" readability=\"5\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig2_termination_of_processes.png\" alt=\"Figure 2. Termination of processes associated with web servers, databases, and other critical services\"> <\/p>\n<p><figcaption>Figure 2. Termination of processes associated with web servers, databases, and other critical services<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The public key, file extension, and ransom note are easily accessible. It also encrypts files using the standard AES algorithm.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig3_ransom_note_config_details.png\" alt=\"Figure 3. Ransom note and configuration details from the Windows variant\"> <\/p>\n<p><figcaption>Figure 3. Ransom note and configuration details from the Windows variant<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"43\">\n<div readability=\"31\">\n<h3><span class=\"body-subhead-title\">Activity observed in the wild<\/span><\/h3>\n<p>During our pivoting efforts, we identified additional samples uploaded in the wild. Analysis revealed that these samples are older versions, lacking the updated encryption methods and function sequences seen in samples from our internal telemetry. These differences indicate that the threat actors are actively developing and refining the ransomware.<\/p>\n<p>Over the course of our investigation, we found a PowerShell script (start.ps1) that functions as a loader for the BERT ransomware payload (payload.exe). The script escalates privileges, disables Windows Defender, the firewall, and user account control (UAC), then downloads and executes the ransomware from the remote IP address 185[.]100[.]157[.]74. The exact initial access method remains unclear.<\/p>\n<p>Interestingly, the mentioned IP address is associated with ASN 39134, which is registered in Russia. While this alone does not establish attribution, the use of Russian infrastructure may indicate a potential connection to threat actors operating in or associated with the region. Notably, start.ps1 acts as the initial execution point for the ransomware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"7\">\n<figure class=\"image-figure\" readability=\"4\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig4_powershell_with_russian_comments.png\" alt=\"Figure 4. PowerShell script containing Russian comments, outlining steps typically used to disable security features and retrieve the ransomware payload.\"> <\/p>\n<p><figcaption>Figure 4. PowerShell script containing Russian comments, outlining steps typically used to disable security features and retrieve the ransomware payload.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p>The PowerShell command attempts to launch a process (payload.exe) with elevated (administrator) privileges by using the -Verb RunAs parameter in Start-Process. This parameter explicitly tells Windows to run the executable as an administrator, or when an attacker already has some level of access (e.g., from a compromised user session) and wants to elevate to full administrator rights.<\/p>\n<p>The contents of the open directory on the IP address where the ransomware is downloaded from can include the payload.exe and start.ps1, along with their corresponding timestamps, file sizes, and server information, as seen in Figure 5. This openly accessible setup likely serves as the staging point for delivering BERT ransomware components.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig5_open_directory_listing.png\" alt=\"Figure 5. Open directory listing on 185[.]100[.]157[.]74 showing the BERT ransomware payload (payload.exe) and its PowerShell loader (start.ps1)\"> <\/p>\n<p><figcaption>Figure 5. Open directory listing on 185[.]100[.]157[.]74 showing the BERT ransomware payload (payload.exe) and its PowerShell loader (start.ps1)<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig6_files_with_bert_ext.png\" alt=\"Figure 6. Files with the \u201c.encryptedbybert\u201d extension\"> <\/p>\n<p><figcaption>Figure 6. Files with the \u201c.encryptedbybert\u201d extension<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<h3><span class=\"body-subhead-title\">Evolution of BERT\u2019s variants<\/span><\/h3>\n<p>We highlight here one of several differences observed between BERT ransomware iterations to show how it has been improved and streamlined. The older variant first enumerates the drives and drops its ransom note in every directory. It then collects the valid file paths to be encrypted and saves them in an array. Only after this collection phase does it proceed with multi-threaded encryption.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig7_code_of_older_bert_variant.jpg\" alt=\"Figure 7. Code of an older BERT variant showing drive enumeration and file path collection prior to initiating encryption\"> <\/p>\n<p><figcaption>Figure 7. Code of an older BERT variant showing drive enumeration and file path collection prior to initiating encryption<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>In contrast, the new variant uses ConcurrentQueue and creates a DiskWorker on each drive to improve the multi-threaded encryption process. This enables the ransomware to begin encrypting files as soon as they are discovered, unlike the older version, which first stores the file paths in an array before encryption.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"8\">\n<figure class=\"image-figure\" readability=\"6\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig8_newer_bert_variant.png\" alt=\"Figure 8. Code from the newer BERT variant, where it loops through all drives, creates a worker for each, and runs them one by one.\"> <\/p>\n<p><figcaption>Figure 8. Code from the newer BERT variant, where it loops through all drives, creates a worker for each, and runs them one by one.<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<h2><span class=\"body-subhead-title\">BERT on Linux systems<\/span><\/h2>\n<p>In May, we identified a Linux sample attributed to the BERT ransomware group. It utilizes 50 threads to maximize encryption speed, enabling it to quickly encrypt files across the system and minimize the chances of detection or interruption.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig9_logs.png\" alt=\"Figure 9. Logs showing the execution of esxcli commands and a list of files being encrypted\"> <\/p>\n<p><figcaption>Figure 9. Logs showing the execution of esxcli commands and a list of files being encrypted<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>This ransomware accepts the following command line parameters:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">–path, -p<br \/><\/span><span class=\"rte-red-bullet\">Specifies the target directory to encrypt. If not provided, it encrypts the current directory.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">–threads, -t <br \/><span>Specifies the number of threads to use for encryption. The default is 50 threads.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">–silent, -s<br \/><span>Enables silent mode, which doesn’t automatically stop VMs.<\/span><\/span><\/li>\n<\/ul>\n<p>When executed without the command line<b> <\/b>parameters, it will proceed to shutdown virtual machines using the command seen in Figure 10.<b><\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig10_command_to_shutdowm_vms.png\" alt=\"Figure 10. Command used to shut down virtual machines\"> <\/p>\n<p><figcaption>Figure 10. Command used to shut down virtual machines<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>This command will force the termination of all running virtual machine processes on the ESXi host.<\/p>\n<p>After encryption, it appends the extension <b>.encrypted_by_bert <\/b>and drops the ransom note <b>encrypted_by_bert-decrypt.txt<\/b>, it will also display a banner showing the number of encrypted files in the console.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig11_files_encrypted_with_bert_ext.png\" alt=\"Figure 11. Files encrypted with the extension \u201c.encrypted_by_bert\u201d\"> <\/p>\n<p><figcaption>Figure 11. Files encrypted with the extension \u201c.encrypted_by_bert\u201d<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig12_linux_variant_ransom_note.png\" alt=\"Figure 12. Linux variant\u2019s ransom note\"> <\/p>\n<p><figcaption>Figure 12. Linux variant\u2019s ransom note<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig13_console_output_linux_variant.png\" alt=\"Figure 13. Console output of Linux variant showing the number of files encrypted in the system\"> <\/p>\n<p><figcaption>Figure 13. Console output of Linux variant showing the number of files encrypted in the system<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.827079934747\">\n<div readability=\"17.884176182708\">\n<p>The ransomware’s configuration is embedded in JSON format, containing its public key (pk), a Base64-encoded ransom note, file extensions to be appended to encrypted files, and other details.<\/p>\n<p>Further investigation suggests that the group may have derived from the <a href=\"https:\/\/angle.ankura.com\/post\/102hcny\/revix-linux-ransomware\" target=\"_blank\">Linux variant of REvil<\/a>, originally identified in early 2021 and known for targeting ESXi servers and Linux. <a href=\"https:\/\/www.sentinelone.com\/labs\/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-lockers\/\" target=\"_blank\">Another report<\/a> confirm the overlap between the leaked Babuk source code and the ESXi lockers attributed to Conti and REvil. Although the REvil group was dismantled in 2022, it is likely that the group reused code from the REvil Linux variant.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/fig14_function_for_reading_config.png\" alt=\"Figure 14. Function responsible for reading the configuration\"> <\/p>\n<p><figcaption>Figure 14. Function responsible for reading the configuration<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"44.363329238329\">\n<div readability=\"33.895577395577\">\n<p>Based on the cited report, this version uses a JSON-formatted configuration embedded in the binary\u2014a typical trait of most modern ransomware, as it allows for better adaptability and easier customization across different campaigns.<\/p>\n<h2><span class=\"body-subhead-title\">Conclusions and recommendations<\/span><\/h2>\n<p>New <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/definition\/ransomware\" target=\"_self\">ransomware<\/a> groups will likely continue to emerge, repurposing familiar tools and code, while refining TTPs. As the BERT ransomware group demonstrates, simple tools can lead to successful infections. This highlights how emerging groups do not need complex techniques to be effective\u2014just a reliable path to their goal, from intrusion, exfiltration and ultimately leverage over victims.<\/p>\n<p>Considering ever-evolving TTPs, defending against threats groups like BERT requires a mix of proactive measures and proven security best practices. Organizations should closely monitor PowerShell abuse and unauthorized script execution, particularly loaders like start.ps1 that disable security tools and escalate privileges. Strengthening endpoint protection, restricting admin rights, and isolating critical systems like ESXi servers can also significantly reduce exposure.<\/p>\n<p>To proactively defend against attacks from BERT ransomware, enterprises should implement a comprehensive security strategy that includes the following best practices:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Email and web safety:<\/b> Exercise caution with email and web practices. Avoid downloading attachments, clicking on links, or installing applications unless the source is verified and trusted. Implement web filtering to restrict access to known malicious websites. This should help avoid the initial entry of similar threats.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Data backup:<\/b> Regularly back up critical data and implement a robust recovery plan. This includes maintaining offline and immutable backups to ensure file recovery even if files are encrypted or wiped.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Access control:<\/b> Limit administrative rights and access privileges to employees only when necessary. Regularly review and adjust permissions to minimize the risk of unauthorized access.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Regular updates and scanning:<\/b> Ensure that all security software is updated regularly and conduct periodic scans to identify vulnerabilities. Use endpoint security solutions to detect and block malicious components and suspicious behavior.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>User education:<\/b> Conduct regular training sessions for employees on recognizing social engineering tactics and the dangers of phishing. This awareness can significantly reduce the likelihood of falling victim to such attacks.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Multilayered security approach:<\/b> Adopt a multilayered defense strategy that includes endpoint, email, web, and network security. This approach will help protect against potential entry points into the system and enhance overall threat detection capabilities.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Sandboxing and application control:<\/b> Use sandboxing tools to analyze files before they are executed, ensuring that any suspicious files are scanned for potential threats. Enforce application control policies to prevent the execution of unauthorized applications and scripts.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Monitoring for abnormal activity:<\/b> Implement security information and event management (SIEM) tools to monitor for unusual script executions and outbound connections. This proactive monitoring can help identify and mitigate threats before they escalate.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div readability=\"6\">\n<h2><span class=\"body-subhead-title\">Observed TTPs<\/span><\/h2>\n<p><center readability=\"2\"><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"4\">\n<tbody readability=\"17.5\">\n<tr>\n<td><b>Tactic<\/b><\/td>\n<td><b>Technique<\/b><\/td>\n<td><b>ID<\/b><\/td>\n<td><b>Variant<\/b><\/td>\n<td><b>Details<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Execution<\/td>\n<td>Command and Scripting Interpreter: PowerShell<\/td>\n<td>T1059.001<\/td>\n<td>Windows<\/td>\n<td>Uses PowerShell to perform its activities and run the payload.<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td rowspan=\"3\">Defense Evasion<\/td>\n<td>Impair Defenses: Disable or Modify Tools<\/td>\n<td>T1562.001<\/td>\n<td>Windows<\/td>\n<td>Disabling Defender and related protections by modifying the registry using PowerShell<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>Impair Defenses: Disable or Modify System Firewall<\/td>\n<td>T1562.004<\/td>\n<td>Windows<\/td>\n<td>Disables Domain, Public and Private Firewall profiles using the PowerShell command <i>Set-NetFirewallProfile<\/i>.<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>Abuse Elevation Control Mechanism: Bypass User-Account Control<\/td>\n<td>T1548.002<\/td>\n<td>Windows<\/td>\n<td>Disabling UAC allows program to elevate its privilege without prompting the user through the UAC notification box.<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td rowspan=\"3\">Discovery<\/td>\n<td>File and Directory Discovery<\/td>\n<td>T1083<\/td>\n<td>Windows \/ Linux<\/td>\n<td>Enumerating files and directories<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Virtual Machine Discovery<\/td>\n<td>T1673<\/td>\n<td>Linux<\/td>\n<td>Uses the command <code>esxcli vm process list<\/code> to enumerate VM images<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Process Discovery<\/td>\n<td>T1057<\/td>\n<td>Windows<\/td>\n<td>Identifying and stopping key services<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"3\">Impact<\/td>\n<td>Data Encrypted<\/td>\n<td>T1486<\/td>\n<td>Windows \/ Linux<\/td>\n<td>Encrypting victim\u2019s files<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Data Destruction<\/td>\n<td>T1485<\/td>\n<td>Windows \/ Linux<\/td>\n<td>Destroying data to prevent recovery<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Inhibit System Recovery<\/td>\n<td>T1490<\/td>\n<td>Windows \/ Linux<\/td>\n<td>Encrypts snapshots of Virtual Machines (ESXi)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 1. Summary of TTPs used by BERT<\/p>\n<p><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44.143314139475\">\n<div readability=\"36.629558541267\">\n<h2><span class=\"body-subhead-title\">Proactive security with Trend Vision One\u2122<\/span><\/h2>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_ph\/business\/products\/one-platform.html\">Trend Vision One\u2122<\/a> is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry’s first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you\u2019re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.<\/p>\n<h2><span class=\"body-subhead-title\">Trend Vision One\u2122 Threat Intelligence<\/span><\/h2>\n<p>To stay ahead of evolving threats,\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\">Trend Vision One\u2122 \u202f<\/a>customers can access a range of Intelligence Reports and Threat Insights within Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats. <\/p>\n<h3><span class=\"body-subhead-title\">Trend Vision One Threat Insights App<\/span><\/h3>\n<h3><span class=\"body-subhead-title\">Trend Vision One Intelligence Reports App [IOC Sweeping]<\/span><\/h3>\n<h2><span class=\"body-subhead-title\">Hunting Queries<\/span><\/h2>\n<p><b>Trend Vision One Search App<\/b><\/p>\n<p>Trend Vision Once Customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.\u202f<\/p>\n<p><b>Detects the presence of BERT Ransomware : <\/b><br \/>malName:Ransom*TREB* AND eventName:MALWARE_DETECTION<\/p>\n<p>More hunting queries are available for Vision One customers with\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/threat-intelligence.html\">Threat Insights Entitlement enabled<\/a><\/p>\n<h2><span class=\"body-subhead-title\">Indicators of Compromise (IoC)<\/span><\/h2>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"4\">\n<tbody readability=\"19.5\">\n<tr>\n<td><b>SHA256<\/b><\/td>\n<td><b>Detection<\/b><\/td>\n<td><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326<\/td>\n<td>PUA.Win32.DefenderControl.B<\/td>\n<td>Tool used to disable antivirus protection<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4<\/td>\n<td>PUA.Win64.ProcHack.B<\/td>\n<td>Process Hacker binary used for process manipulation<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>75fa5b506d095015046248cf6d2ec1c48111931b4584a040ceca57447e9b9d71<\/td>\n<td>Ransom.MSIL.TREB.YPFDUT<\/td>\n<td>BERT ransomware (Windows binary, new variant)<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>8478d5f5a33850457abc89a99718fc871b80a8fb0f5b509ac1102f441189a311<\/td>\n<td>Ransom.MSIL.TREB.SMYPFDUT<\/td>\n<td>BERT ransomware (Windows binary)<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>b2f601ca68551c0669631fd5427e6992926ce164f8b3a25ae969c7f6c6ce8e4f<\/td>\n<td>Trojan.PS1.POWLOAD.THEBIBE<\/td>\n<td>PowerShell script that downloads and executes BERT ransomware<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4<\/td>\n<td>PUA.Win64.ProcHack.YACIU<\/td>\n<td>Alternate Process Hacker binary variant<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>c7efe9b84b8f48b71248d40143e759e6fc9c6b7177224eb69e0816cc2db393db<\/td>\n<td>Ransom.Linux.TREB.THDBEBE<\/td>\n<td>BERT ransomware (Linux variant)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxp:\/\/185[.]100[.]157[.]74\/payload[.]exe<\/td>\n<td> <\/td>\n<td>Download link<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/g\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>BERT is a newly emerged ransomware group that pairs simple code with effective execution\u2014carrying out attacks across Europe and Asia. In this entry, we examine the group\u2019s tactics, how their variants have evolved, and the tools they use to get past defenses and speed up encryption across platforms. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9539],"class_list":["post-58936","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-ransomware"],"yoast_head":"\n<title>BERT Ransomware Group Targets Asia and Europe on Multiple Platforms 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-07T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms\",\"datePublished\":\"2025-07-07T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/\"},\"wordCount\":2301,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Ransomware\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/\",\"name\":\"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms:Large?qlt=80\",\"datePublished\":\"2025-07-07T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/","og_locale":"en_US","og_type":"article","og_title":"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-07-07T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms","datePublished":"2025-07-07T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/"},"wordCount":2301,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Ransomware"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/","url":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/","name":"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms:Large?qlt=80","datePublished":"2025-07-07T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/bert_ransomware_group_targets_asia_and_europe_on_multiple_platforms:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=58936"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58936\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=58936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=58936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=58936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":58936,"date":"2025-07-07T00:00:00","date_gmt":"2025-07-07T00:00:00","guid":{"rendered":"urn:uuid:3811eb37-8cd4-6beb-f70c-a7fa46b14950"},"modified":"2025-07-07T00:00:00","modified_gmt":"2025-07-07T00:00:00","slug":"bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms\/","title":{"rendered":"BERT Ransomware Group Targets Asia and Europe on Multiple Platforms"},"content":{"rendered":"