BERT Ransomware Targets ESXi Virtual Machines with Forced Shutdown Tactics
July 10th, 2025
Severity Level: High
Technical Details
Malware Family: BERT Ransomware.
Severity: High.
Initial Vector: Likely brute-force or credential stuffing on exposed ESXi management ports (SSH or web UI).
Targeted Systems: VMware ESXi hypervisors, Linux systems.
Payload Behavior:
Forcefully executes esxcli commands to shut down virtual machines.
Deletes shadow copies and system snapshots.
Encrypts VM-related files (.vmdk, .vmem, .vmsd, .vmsn, .vswp).
Drops ransom note in affected directories.
Tactics Used: Uses esxcli vm process kill --type=soft|hard to stop VM processes before encrypting disk images.
Persistence/Anti-Forensics: Disables syslog forwarding, clears logs, and corrupts metadata to obstruct recovery.
Our Cyber Threat Intelligence Unit has identified a new malware strain, “BERT Ransomware,” which has been detected targeting VMware ESXi virtual machines. It aims to disrupt recovery efforts by forcibly shutting down systems prior to encryption. The malware uses advanced persistence and anti-forensic techniques designed to damage essential infrastructure and complicate incident response. First reported in mid-2025, BERT ransomware has been observed executing shutdown or reboot commands on compromised systems to lock files and disable services, especially within virtualized environments. Its tactics illustrate a growing trend among ransomware operators to directly interfere with virtual machine management, a strategy that can impact entire data centers, cloud-hosted environments, and applications.
Impact
Immediate denial of service by shutting down active virtual machines.
Loss of critical infrastructure and hosted services due to VM encryption.
Inaccessibility of virtual backups, including those dependent on live snapshots.
Extended downtime during investigation, as logs and forensic data are destroyed.
Financial losses from ransom payments, recovery efforts, and SLA violations.
Increased risk to business continuity, especially for organizations relying on 24/7 service availability.
Damage to reputation and trust, particularly in industries where service availability and data confidentiality are crucial.
ESXi environments being the specific target of the BERT Ransomware amplifies it’s impact, as many enterprises operate high-density workloads in virtualized clusters.
Detection Method
Monitor for suspicious esxcli activity, especially unexpected VM shutdowns or kill commands.
Review audit logs for use of esxcli vm process kill, vim-cmd vmsvc/power.off, or similar commands.
Flag lateral movement attempts through SSH or open web interfaces.
Watch for changes in log forwarding, syslog services, or tampering with snapshot and backup files.
Identify unusual file writes or renaming patterns involving .vmdk, .vmem, and .vmsd files.
Indicators of Compromise
Type | Indicator | Description |
SHA256 File Hash | d5b5a3c90a1237e1f2c947cdad2d7a2f | hash of known BERT ransomware binary |
IP Address | 185.225.73.244 | Known C2 used for ransomware beaconing |
Recommendations
Restrict access to ESXi interfaces through VPNs or jump hosts.
Enforce multi-factor authentication for all administrative access.
Segment management networks to isolate hypervisors from general user traffic.
Regularly back up VMs to offline or immutable storage.
Monitor usage of esxcli or vim-cmd, and establish baselines for legitimate activity.
Deploy host-based protections and file integrity monitoring on ESXi hosts whenever possible.
Educate IT administrators on social engineering and password hygiene to avoid initial compromise.
Conclusion
BERT ransomware represents a highly targeted threat to virtualized infrastructure. By combining forced shutdowns with aggressive encryption, attackers aim to cause maximum disruption while minimizing the chances of recovery. ESXi environments, often overlooked in endpoint protection strategies, are increasingly preferred targets due to their centralized workloads and importance. This threat highlights the evolving focus of ransomware groups on disrupting infrastructure at the system level; threat actors are no longer just encrypting files but actively interfering with virtualization and backup layers, making recovery increasingly difficult and expensive.
Organizations must reassess the security of their virtual machine hosts by implementing strict access controls, log monitoring, and backup isolation to remain resilient against BERT and future VM-centric ransomware campaigns. Collaboration among IT operations, security teams, and backup administrators is crucial to defend against such advanced tactics.