Rectifyq📃Title: BERT RANSOMWARE - THE RAVEN FILE
📅Date: 2025-06-16
🔗References:
Description
BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufacturing sectors. The Windows variant employs multiple file extensions and RSA encryption, while the Linux version shares code with Sodinokibi/REvil ransomware. A weaponized PowerShell script is used to disable security features before payload execution. The ransomware’s infrastructure is linked to a Russian firm, suggesting potential ties to the region.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- target: broad-based
- MY-relevancy: relevant
🔖MISP Galaxies:
- target-information=“United States”
- target-information=“Colombia”
- target-information=“Malaysia”
- target-information=“Taiwan”
- target-information=“United Kingdom”
- ransomware=“bert”
- mitre-attack-pattern=[‘T1548.002’, ‘T1489’, ‘T1573.001’, ‘T1082’, ‘T1055’, ‘T1562.004’, ‘T1491’, ‘T1070’, ‘T1083’, ‘T1057’, ‘T1059.001’, ‘T1547.001’, ‘T1566’, ‘T1562.001’, ‘T1027’, ‘T1486’, ‘T1573.002’, ‘T1012’, ‘T1490’]
MISP event uuid: 171b845f-fdc7-47f8-b3c0-2e8cd408612d
Indicator of Compromise (IoCs)
type,value,comment
domain, bertblogsoqmm4ow7nqyh5ik7etsmefdbf25stauecytvwy7tkgizhad.onion, 'DLS'
domain, wtwdv3ss4d637dka7iafl7737ucykei7pluzc7is3mgo2vl5nmq7eeid.onion, 'Data Server'
url, http://185.100.157.74/payload.exe, ''
ip-dst, 185.100.157.74, ''
url, http://169.254.169.254/latest/meta-data/ami-id, ''
ip-dst, 169.254.169.254, ''
Full IOCs available in Rectifyq's MISP```