BERT Ransomware Escalates Attacks on Linux Machines with Weaponized ELF Files

The BERT ransomware group, first detected in April 2025 but active since mid-March, has expanded its reach from targeting Windows environments to launching sophisticated attacks on Linux machines as of May 2025.

Initially spotted through phishing campaigns, BERT has evolved into a formidable adversary by deploying weaponized ELF (Executable and Linkable Format) files tailored for Linux systems.

This shift underscores a strategic intent to exploit vulnerabilities across diverse operating systems, posing a significant risk to global enterprises reliant on Linux for critical infrastructure.

Windows to Linux

Technical analysis of BERT’s Linux variant reveals an alarming 80% code-base similarity with the infamous Sodinokibi (REvil) ransomware, suggesting a reliance on proven malicious frameworks for rapid deployment.

The Linux samples employ a mix of encryption algorithms including AES, RC4 PRGA, Salsa20, and ChaCha, with data further obfuscated using Base64 encoding.

Additionally, the AWK command is leveraged to ...