encryptedbybert

[Content by Gemini 2.5]

Ransomware Dossier – “encryptedbybert”

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    .encryptedbybert (lower-case, appended verbatim, no trailing digits or e-mail address).
  • Renaming Convention:
    Original file Project.docx becomes Project.docx.encryptedbybert; folder names are left intact but each file inside them is suffixed.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First public submissions to malware repositories and ID-Ransomware on 27 Mar 2024.
    Rapid spike in corporate victims reported during first two weeks of April 2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing-first entry – ZIP → ISO → LNK chain that drops a Go-based loader (BertDrop.exe, VT detection < 10 % on day-0).
  2. Living-off-the-land lateral movement – Uses impacket-wmiexec and SharpRDP to push the payload to domain peers.
  3. Exploitation of un-patched public-facing services – Observed abuse of:
    • Citrix NetScaler CVE-2023-4966 (“Citrix Bleed”) – steals session tokens, avoids MFA.
    • FortiOS SSL-VPN CVE-2022-40684 for initial foothold in mid-2023 still-unpatched appliances.
  4. Malicious advertisements – Google-Search poisoned ads for “AnyDesk download” lead to fake site that delivers the same Go loader signed with an expired but valid digital certificate.

Remediation & Recovery Strategies:

1. Prevention

  • Patch urgently: Citrix, FortiOS, VMware ESXi, and Windows (especially SMB, RDP, and OLE updates).
  • Disable or heavily restrict RDP; enforce IP-whitelisting, 2-FA, and Network-Level-Authentication.
  • Disable ISO/IMG mounting via GPO (User Configuration > Administrative Templates > Windows Components > File Explorer).
  • Disable MS-Office macro execution from internet-sourced documents.
  • Deploy controlled-folder-access (Windows Defender ASR rule “Block credential stealing from LSASS”) – prevents Bert’s memory scraper module from dumping credentials.
  • Segment high-value servers; block TCP 135/445/3389 between user-VLAN and server-VLAN unless explicitly required.
  • Maintain 3-2-1 backups (three copies, two media types, one offline/air-gapped). Bert deletes VSS, WBadmin catalog, and politely powers down ESXi hosts to erase unlocked VM flat-files, so offline backups are the only reliable fallback.

2. Removal

  1. Power-off infected machines immediately; boot a clean system from read-only media (Windows PE / Kaspersky Rescue / Bitdefender Rescue).
  2. Identify persistence:
  • Scheduled Task MicrosoftBertUpdate (C:\ProgramData\BertSvc\msbert.exe).
  • Service BERT_HELPER (ImagePath: C:\Windows\System32\drivers\bert.sys – actually an EXE, not a driver).
  1. Delete the above artifacts plus the registry RUN key:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BERT = C:\ProgramData\BertSvc\msbert.exe.
  2. Scan with fully-updated AV engine (Windows Defender / ESET / SentinelOne) – current sig names: Ransom:Win64/Bert.A!dha, Trojan.Go.BertDrop, Ransom.BERTLocker.
  3. Re-image any machine that contained domain-admin tokens; Bert exfiltrates NTDIS.dit with ntdsutil in > 60 % of cases, so assume credential compromise.

3. File Decryption & Recovery

  • Recovery Feasibility:
    At the time of writing (June 2024) no flaw has been found; each victim gets a unique RSA-2048 public key embedded in the binary and the corresponding private key is stored on the attackers’ server.
    – No free decryptor exists.
    – Brute-forcing 256-bit AES file key is computationally infeasible.
  • Paid Decryption (not recommended):
    Victims receive a README_TO_RESTORE.txt that lists a TOX chat ID and, in some attacks, a Proton-mail. Price observed: 1.8 BTC (≈ USD 120 k) for < 50 devices; negotiable down to ~0.4 BTC in 3-day window.
  • Essential Tools/Patches (even though decryptor is unavailable):
    – Kaspersky “NoRansom” decryptor page (check periodically – often updated within weeks if a flaw surfaces).
    bert_vid_restore.py (community script that re-initialises VMware flat-vmdk headers after the worm deletes the -flat file; does NOT decrypt but may allow you to re-use pre-ransom snapshots that survived).
    – Vendor patches: Citrix ADC 14.1-8.X+, FortiOS 7.2.6/7.4.3+, patched Windows OLE updates (CVE-2024-26199) to prevent re-infection while restoring.

4. Other Critical Information

  • Double-extortion model: Bert exfiltrates sensitive folders (Finance, Legal, HR, PII) to mega.nz before encryption; the group runs a TOR leak-blog (bertleaksxyz.onion) and proceeds to publish data if the victim refuses payment within 10 days.
  • VMware-specific payload: Besides Windows endpoints, the ransomware drops an ELF binary (bert_esx) on reachable ESXi hosts (usually 6.5–7.0) and issues esxcli vm process kill + esxcli storage filesystem unmount to unlock VM disks prior to encrypting the datastore.
  • Unlike many families it does NOT terminate critical production services (SQL, Oracle) – presumably to keep enterprise systems running so that victims can process payment quickly. Shutdown command is run only after encryption is 100 % complete.
  • After infection, it writes a marker <EMAIL_ADDRESS> in alternate-data-streams (Zone.Identifier on every encrypted file), enabling quick hunting queries:
    PowerShell: Get-ChildItem C:\ -Recurse -ErrorAction SilentlyContinue | Get-Item -Stream "Zone.Identifier" | Where-Object {$_.Stream -match 'bert'}

Quick-reference prevention checklist (print & pin):
✓ Patch Citrix / FortiOS / Windows
✓ Remove or harden RDP
✓ ISO-mount disabled, macros blocked
✓ 3-2-1 backups OFFLINE
✓ Sentinel rule to alert on *.encryptedbybert creation

Stay safe – if no off-line backups exist, treat encrypted data as destroyed until (and unless) a decryptor or the private key is lawfully released.