![How to Use AI as a Productivity Tool with Mike Kaput [MAICON 2025 Speaker Series]](https://www.marketingaiinstitute.com/hubfs/v2MAICON-Speaker_Series.png)
![[The AI Show Episode 152]: ChatGPT Connectors, AI-Human Relationships, New AI Job Data, OpenAI Court-Ordered to Keep ChatGPT Logs & WPP’s Large Marketing Model](https://www.marketingaiinstitute.com/hubfs/ep%20152%20cover.png)
![Designing a Robust Modular Hardware-Oriented Application in C++ [closed]](https://i.sstatic.net/f2sQd76t.webp)
_91QLANU.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#){kind=tracking}
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_designer491_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![iPad Air vs reMarkable Paper Pro: Which tablet is best for note taking? [Updated]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/ipad-air-remarkable-paper-pro.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![What Gemini app features are free versus paid? [June 2025]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/gemini-android-5.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple M4 Mac Mini Back on Sale for $499 [Deal]](https://www.iclarified.com/images/news/97617/97617/97617-640.jpg)
BERT Ransomware Upgrades to Attacks Linux Machines Using Weaponized ELF Files
A sophisticated ransomware operation known as BERT has significantly expanded its capabilities by developing weaponized ELF (Executable and Linkable Format) files specifically designed to target Linux environments, marking a concerning evolution in the threat landscape. First detected in April 2025, the ransomware group has been active since mid-March 2025, initially focusing exclusively on Windows systems […] The post BERT Ransomware Upgrades to Attacks Linux Machines Using Weaponized ELF Files appeared first on Cyber Security News.
A sophisticated ransomware operation known as BERT has significantly expanded its capabilities by developing weaponized ELF (Executable and Linkable Format) files specifically designed to target Linux environments, marking a concerning evolution in the threat landscape.
First detected in April 2025, the ransomware group has been active since mid-March 2025, initially focusing exclusively on Windows systems before upgrading their arsenal to include cross-platform capabilities that now threaten both Windows and Linux infrastructure.
The ransomware operation employs phishing campaigns as its primary infection vector, leveraging social engineering techniques to gain initial foothold in target networks.
The Raven File analysts noted that BERT ransomware has established a sophisticated infrastructure on the dark web, operating leak sites and negotiation platforms through onion domains, demonstrating the group’s commitment to long-term operations and victim extortion.
.webp)
BERT’s expansion into Linux environments represents a strategic shift that significantly broadens its potential target base, particularly affecting enterprise environments where Linux servers are commonly deployed for critical infrastructure and services.
The group has successfully compromised organizations across multiple sectors, with the United States leading victim statistics, followed by the United Kingdom, Malaysia, Taiwan, Colombia, and Turkey.
The most affected industries include service and manufacturing sectors, though the group has also targeted logistics, information technology, and healthcare organizations.
Analysis of the group’s victim portfolio reveals a calculated approach to target selection, with companies ranging from small enterprises to major corporations.
.webp)
The ransomware operators maintain detailed victim profiles on their leak sites, including legitimate website URLs, estimated revenue figures, and publication dates, indicating thorough reconnaissance capabilities and systematic documentation practices.
The ransomware’s negotiation process occurs through privacy-focused communication channels, with demands typically denominated in Bitcoin cryptocurrency.
.webp)
Recent cases have shown ransom demands of 1.5 BTC, though amounts likely vary based on victim size and perceived ability to pay.
Weaponized Infection Mechanism
The most concerning aspect of BERT’s evolution lies in its sophisticated infection mechanism, which employs weaponized PowerShell scripts to systematically disable security controls before deploying the encryption payload.
The group hosts malicious scripts on compromised infrastructure, specifically utilizing the IP address 185.100.157.74 to serve both PowerShell scripts and executable payloads.
The weaponization process begins with a PowerShell script that performs privilege escalation checks and systematically dismantles Windows security features.
The script first verifies administrative privileges and re-executes itself with elevated permissions if necessary. Subsequently, it modifies critical registry entries to disable Windows Defender’s core protection mechanisms, including real-time monitoring and cloud-based protection services.
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Value 1 -Type DWord -ForceThe script also disables User Account Control by setting the “EnableLUA” registry value to zero, effectively removing a critical security barrier that prevents unauthorized system modifications.
Following security neutralization, the script downloads and executes the primary ransomware payload from the same compromised server infrastructure.
The Linux variant demonstrates sophisticated code reuse, sharing approximately 80% of its codebase with the notorious Sodinokibi (Revil) ransomware family.
This variant employs multiple encryption algorithms including AES, RC4 PRGA, Salsa20, and ChaCha, while utilizing AWK commands for registry queries and Base64 encoding for data obfuscation.
The infrastructure analysis reveals that the command and control servers operate under Russian control through Edinaya Set Limited, highlighting the group’s preference for jurisdictions with limited cybersecurity cooperation agreements.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
The post BERT Ransomware Upgrades to Attacks Linux Machines Using Weaponized ELF Files appeared first on Cyber Security News.
