BERT Ransomware Targets Virtualized Environments in Industrial Networks

New ransomware strain uses ESXi management tools to shut down and encrypt virtual machines across critical sectors

A new ransomware strain named BERT is actively targeting VMware ESXi environments, forcing the shutdown of virtual machines before encrypting datastore files. Analysts from Dragos first identified the campaign in Q2 2025, with Trend Micro confirming activity across Asia, Europe, and the United States as part of a coordinated infrastructure-targeting wave.

The attacks mark a new phase in ransomware evolution — one focused on crippling entire infrastructures rather than single endpoints. BERT’s operators appear to specialize in targeting industrial and virtualized networks where downtime has immediate operational impact.

How BERT targets virtual machines

BERT’s operators deploy custom scripts to locate ESXi hosts and forcibly power off running virtual machines before encryption begins. Once machines are offline, the ransomware encrypts datastore files such as .vmdk and .vmx, effectively taking entire workloads out of operation.

According to research published by Halcyon, the group uses a “kill-the-VMs, kill-the-backups” strategy to ensure maximum disruption and block recovery through snapshots or backups. Trend Micro’s technical write-up notes that BERT’s Linux variant explicitly issues ESXi shutdown commands, indicating a purpose-built design for virtualized targets (Trend Micro).

A Microsoft security report explains that ransomware operators have leveraged vulnerabilities in ESXi hypervisors, such as CVE-2024-37085, to gain administrative control and encrypt hypervisor-level storage, amplifying the scope of each compromise (Microsoft Security Blog).

Technical playbook and detection

Analysis from SOC Prime links BERT’s activity to the MITRE ATT&CK framework, associating it with T1496 (Resource Hijacking) and T1486 (Data Encrypted for Impact). These mappings highlight how ransomware groups are integrating enterprise-grade stealth techniques with destructive payloads.

The Broadcom security bulletin on BERT ransomware describes ransom notes dropped in multiple directories, alongside encrypted files bearing unique extensions. Analysts note that this mirrors other targeted ransomware behaviors, including those seen in LockBit 5.0, which similarly targeted virtualized infrastructure.

These operational tactics reinforce how modern ransomware groups are blurring the line between criminal and advanced persistent threat campaigns.

Who’s being targeted

Trend Micro confirms BERT-related intrusions in manufacturing, energy, and healthcare networks across Europe and Southeast Asia. The campaign appears highly selective, focusing on environments where shared hypervisors and critical workloads coexist — conditions that maximize the potential business impact of encryption.

Unlike broad Ransomware-as-a-Service models, BERT functions as a closed operation. There is no leak site, affiliate structure, or public negotiation channel observed to date. All known communications occur through encrypted email exchanges between attackers and victims.

Some infrastructure overlaps have been identified with TA415, a China-aligned actor known for espionage operations, though analysts have not confirmed any shared attribution.

What this tells us about ransomware evolution

The BERT campaign shows that ransomware is moving beyond file encryption — it’s becoming infrastructure denial.

By striking virtualization layers directly, attackers can disrupt dozens of systems with a single payload, sidestep endpoint defenses, and complicate recovery at scale.

For organizations running shared hypervisors across IT and OT environments, this approach multiplies operational risk and amplifies the blast radius of every breach. Researchers believe that future BERT variants could expand to additional hypervisor platforms, signaling an ongoing evolution toward infrastructure-wide compromise.