What is BERT ransomware and how does it target ESXi virtual machines?

A **new ransomware strain – ** BERT Ransomware – is targeting VMware ESXi servers and forcibly shutting down virtual machines (VMs) before encrypting their files. By killing running workloads first, the attackers break backup snapshots, halt disaster‑recovery workflows, and maximize leverage for ransom payments. Below is an easy‑to‑read breakdown of how the attack works, why it is different, and what security teams must do right now.

What Makes BERT Ransomware Unique?

Step‑by‑Step Attack Chain

1. Initial Access

   • Stolen vCenter credentials, weak SSH passwords, or unpatched ESXi exploits.

     
     

2. Host Reconnaissance

   • Executes vim-cmd vmsvc/getallvms or esxcli vm process list to harvest World IDs.

3. Forced VM Shutdown

   for i in $(esxcli vm process list | awk '/World ID:/ {print $3}'); do
       esxcli vm process kill --type=force --world-id=$i
   done
   

   All guest VMs power off instantly.

4. File Encryption

   
   

   • Encrypts *.vmdk, *.vmx inside /vmfs/volumes.

   • Drops ransom note demanding cryptocurrency.

5. Cleanup & Persistence

   • Wipes shell history, disables syslog forwarding, and erases backup catalogs.

Business Impact

• Extended Downtime – Mission‑critical apps stay offline until restores complete or ransom is paid.

• Broken Backups – Snapshot jobs fail mid‑process; replicas become unusable.

• Higher Ransom Demands – Attackers know recovery is harder, so they ask for more.

• Regulatory Exposure – Potential data‑breach fines and mandatory notifications.

Detection & Mitigation Checklist

Tools & Commands to Monitor

Best Practices for 2025

1. Adopt Zero‑Trust on Management Planes – Treat ESXi hosts as crown jewels; require MFA and strict RBAC.

2. Use Offline / Cloud‑Isolated Backups – Snapshots alone are no longer enough.

3. Automate Log Forwarding – Stream hostd and vmkernel logs to a SIEM for real‑time correlation.

4. Conduct Hypervisor Hardening Audits – Disable unused services, rotate keys, and validate patch levels quarterly.

5. Tabletop Ransomware Drills – Simulate forced VM shutdowns to test recovery time objectives (RTOs).

Key Takeaways

• BERT Ransomware is virtualization‑aware, targeting VMware ESXi with a shutdown‑first tactic.

• Forced VM kills invalidate live snapshots, crippling standard recovery methods.

• Patch management, MFA, immutable backups, and SIEM monitoring are critical defenses.

• Organizations must extend Zero‑Trust principles to hypervisor and management networks.

By understanding BERT’s attack path and hardening ESXi hosts, security teams can reduce downtime, protect critical workloads, and avoid paying costly ransoms.

FAQs

What is BERT ransomware?

BERT ransomware is a Linux-based ransomware strain that targets VMware ESXi environments by forcibly shutting down virtual machines before encrypting their files.

How does BERT ransomware shut down VMs?

It uses the esxcli vm process kill command to forcibly power off all running ESXi virtual machines.

Why does BERT ransomware shut down VMs before encrypting?

Shutting down VMs ensures snapshot backups are invalidated, making recovery difficult and increasing pressure to pay the ransom.

What platforms does BERT ransomware target?

It specifically targets VMware ESXi hypervisors in data centers and enterprise environments.

What is ESXi?

ESXi is VMware's hypervisor used to run virtual machines in enterprise IT infrastructure.

What makes BERT ransomware unique?

Its ability to forcibly shut down VMs prior to encryption sets it apart from other ransomware strains.

Can BERT ransomware affect cloud-based VMs?

BERT primarily targets on-premises VMware ESXi environments, not cloud-native hypervisors like AWS EC2 or Azure VMs.

Is there a patch available to prevent this?

Yes, applying the latest ESXi patches and securing access with MFA can help prevent BERT attacks.

How does BERT ransomware gain access?

It may exploit unpatched vulnerabilities, use stolen credentials, or brute-force SSH on ESXi hosts.

What are signs of a BERT ransomware infection?

Sudden VM shutdowns, loss of access to VM files, ransom notes, and abnormal shell commands are common indicators.

What does esxcli vm process kill do?

It forcibly terminates a running virtual machine on an ESXi host.

Does BERT ransomware delete backups?

It invalidates in-process snapshots by shutting down VMs and may also target backup metadata or catalogs.

How can I detect BERT ransomware activity?

Monitor for unusual SSH activity, mass VM shutdowns, and shell command execution on ESXi.

Are immutable backups effective against BERT?

Yes, offline or cloud-based immutable backups are one of the best defenses.

What type of data does BERT encrypt?

It encrypts virtual machine disk files like .vmdk, configuration files, and other datastore contents.

How can I stop the BERT ransomware attack?

Isolate the infected ESXi host, shut down its network access, and restore clean backups from a secure source.

Is BERT ransomware spreading in 2025?

Yes, it has been observed in active campaigns throughout early to mid-2025.

How can SIEM tools help detect BERT ransomware?

SIEM platforms can detect unusual VM commands, mass shutdowns, and failed authentication attempts.

What recovery options exist post-attack?

Organizations need offline, verified, and immutable backups or consider full reinstallation of hypervisors and VMs.

Can antivirus software detect BERT?

Some EDR/XDR tools with Linux support and VMware introspection may detect suspicious behaviors.

How do I protect ESXi from BERT ransomware?

Disable unused services, patch regularly, require MFA, restrict access, and monitor logs continuously.

What ports does BERT ransomware use?

BERT may not rely on specific ports but gains access via SSH or web-based management consoles.

What commands are used in the attack script?

The attacker uses shell scripts to download and execute the shutdown commands and ransomware binary.

What logging tools help track BERT activity?

Use vmkernel.log, hostd.log, and stream logs to SIEM platforms like Splunk or Graylog.

Is this part of a larger ransomware campaign?

BERT is a new but growing threat, and it may be part of a broader trend toward virtualization-specific ransomware.

Are vCenter servers at risk too?

Yes, vCenter servers, if exposed or misconfigured, may be targeted for lateral movement.

What is Zero Trust in hypervisors?

It involves isolating the management plane, enforcing least privilege, and validating all access to ESXi hosts.

Can BERT ransomware be decrypted?

Currently, no public decryptor exists, and paying the ransom is not recommended.

What industries are targeted?

Enterprise IT, healthcare, finance, and any sector relying on virtualized infrastructure are prime targets.

What is the best defense against BERT ransomware?

Regular patching, network segmentation, log monitoring, immutable backups, and proper access controls.

Where can I report a BERT ransomware incident?

Report to national CERTs or agencies like CISA, and consult ransomware response services.