BERT is a ransomware family first reported as emerging in April 2025. Available reporting describes it as a new ransomware variant with a built-in capability to forcibly shut down VMware ESXi virtual machines, indicating an ESXi-focused impact profile. It has been referenced in technical analysis by threat intelligence researchers and appears in 2025 reporting as one of many newly emerged, short-lived ransomware brands in a highly fragmented ecosystem. That reporting places BERT among groups experimenting with AI-themed branding, sector targeting, and hybrid hacktivist narratives.
High-confidence ecosystem context indicates that many new 2025 ransomware groups, including BERT, operated in an environment characterized by shared infrastructure, tooling, and access brokers rather than unique malware development. Common initial access patterns across these groups included identity-based compromise such as stolen VPN credentials, MFA fatigue, session token hijacking, OAuth abuse, exploitation of edge infrastructure like VPN appliances and firewalls, phishing and SaaS abuse including HTML smuggling and fake login portals, and cloud/SaaS misconfigurations such as over-permissioned IAM roles and exposed API tokens. Reporting also states that these groups commonly used lightweight, minimally obfuscated malware; often treated encryption as optional; and frequently paired or replaced encryption with data theft and extortion. Primary targets across this cohort were small and mid-sized enterprises, insured organizations, and cloud-first environments with weak identity governance.
The provided content does not attribute BERT to a specific threat actor, does not identify specific victim sectors uniquely targeted by BERT, and does not provide confirmed indicators of compromise.