A new ransomware group called BERT has a nasty trick up its sleeve that sets it apart from other cybercriminals. Its malware can shut down VMware ESXi virtual machines (VMs) before encrypting their data, a tactic that makes recovery much harder for affected organizations.
First seen in April 2025 and tracked by Trend Micro as “Water Pombero,” BERT is making waves in Asia, Europe, and North America. Its focus on virtual infrastructure is a growing trend among threat actors who are targeting the heart of modern enterprise IT.
Linux variant shuts down VMs before encryption
The scariest part of BERT is its Linux variant. This version can identify and shut down running ESXi VMs before file encryption. By doing so, it prevents admins from migrating or backing up critical systems and maximizes downtime.
The malware uses legitimate ESXi command-line tools to kill all active VM processes. Once the machines are down, the ransomware will encrypt data using up to 50 concurrent threads so it can handle large and complex environments fast.
Researchers say the malware can run solo. When launched without instructions, it will shut down all running VMs, which means it knows how VMware works inside out. BERT has multi-platform capabilities, including Windows, Linux, and ESXi versions, that allow it to hit hybrid IT environments.
Attacks across industries and geographies
The group behind BERT seems to be highly organized and technical. On Windows systems, BERT uses PowerShell-based loaders to disable security features like Windows Defender, firewalls, and User Account Control. Once defenses are down, the main ransomware payload is downloaded from Russian infrastructure.
Targets have included healthcare, tech, and event services with confirmed incidents across multiple continents. Security researchers have found code similarities between BERT and older REvil Linux variants, so the attackers may have reused or built upon leaked malware frameworks to accelerate development.
Each platform has a specific file extension after encryption: “.encryptedbybert” on Windows and “.encrypted_by_bert” on Linux and ESXi, so analysts can identify compromised files.
Security and recommendations
Experts say BERT marks a scary new trend in ransomware. By shutting down virtual machines, the malware blows up common disaster recovery plans, which often rely on quick restoration of backups or migrating services. A single ESXi host can take down dozens of VMs, so the impact is widespread and severe.
To defend against similar threats, cybersecurity pros recommend stronger monitoring for PowerShell abuse and script-based activity that disables security tools. Segregate your network to isolate ESXi management systems, and make sure your backup strategy includes offline and immutable storage that ransomware can’t access.
BERT is a reminder of how ransomware is evolving to exploit enterprise virtualization. As more businesses move to centralized and virtualized infrastructure, the impact of these attacks will be more severe, and the need for forward-thinking defenses has never been greater.
