BERT Ransomware Kills ESXi VMs to Cripple Recovery

A newly discovered threat actor known as BERT has introduced a ransomware variant capable of forcibly shutting down VMware ESXi virtual machines, significantly disrupting recovery operations. First identified in April 2025, the BERT ransomware kills ESXi processes before encryption begins, targeting hybrid IT environments across Asia, Europe, and the U.S. Security analysts track the group under the alias Water Pombero.

BERT ransomware kills ESXi hosts through a Linux-based payload that executes commands to terminate all active virtual machine processes. This tactic prevents administrators from migrating workloads or restoring from live backups. The ransomware supports up to 50 threads for fast encryption and launches attacks on Windows, Linux, and ESXi systems. On Windows, it disables security controls using PowerShell loaders before fetching its payload from Russian infrastructure.

Researchers linked BERT’s code to earlier REvil Linux samples. Experts urge organizations to segment networks, monitor PowerShell activity, and maintain offline backups.

Read the full article at https://cybersecuritynews.com/bert-ransomware-esxi-virtual-machines/