BERT RANSOMWARE - THE RAVEN FILE
June 23, 2025, 11:21 p.m.
Description
BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufacturing sectors. The Windows variant employs multiple file extensions and RSA encryption, while the Linux version shares code with Sodinokibi/REvil ransomware. A weaponized PowerShell script is used to disable security features before payload execution. The ransomware's infrastructure is linked to a Russian firm, suggesting potential ties to the region.
Tags
Date
- Created: June 20, 2025, 7:25 p.m.
- Published: June 20, 2025, 7:25 p.m.
- Modified: June 23, 2025, 11:21 p.m.
Indicators
- f2dc218ea8e2caa8668e54bae6561afd9fbf035a40b80ce9e847664ff0809799
- ced4ed5e5ef7505dd008ed7dd28b8aff38df7febe073d990d6d74837408ea4be
- c7efe9b84b8f48b71248d40143e759e6fc9c6b7177224eb69e0816cc2db393db
- b2f601ca68551c0669631fd5427e6992926ce164f8b3a25ae969c7f6c6ce8e4f
- 8478d5f5a33850457abc89a99718fc871b80a8fb0f5b509ac1102f441189a311
- 78eb838238dad971dcbc46b86491d95e297f3d47dc770de5c43af3163990d31c
- 5bba035c4cb3c2e09a355d9356b3397184af4bf1ac1ff1df99ae9c15edee9f2b
- 6182df9c60f9069094fb353c4b3294d13130a71f3e677566267d4419f281ef02
- 25c693808095f45d297171eba5196e9a5176281a2d248cb1a8cfa07a68bbe332
- wtwdv3ss4d637dka7iafl7737ucykei7pluzc7is3mgo2vl5nmq7eeid.onion
- bertblogsoqmm4ow7nqyh5ik7etsmefdbf25stauecytvwy7tkgizhad.onion
Attack Patterns
- BERT Ransomware
Additional Informations
- Service
- Logistics
- Manufacturing
- Colombia
- Taiwan
- Malaysia
- United Kingdom of Great Britain and Northern Ireland
- United States of America