BERT Ransomware

A New Breed of Cyber Threat

A new ransomware strain is making waves, not just for its technical prowess but also for the mystery behind its name: BERT Ransomware. As businesses and individuals race to defend themselves against increasingly complex attacks, BERT stands out for blending classic ransomware tactics with modern evasion techniques. But what exactly is it? And does it really have anything to do with artificial intelligence?

Let’s dive into the anatomy of BERT ransomware; an elusive and deceptive threat that signals where ransomware may be headed next.

Identified in early 2024, BERT ransomware is a new strain that has been phishing users and exploiting vulnerable systems. The cybersecurity community was surprised by the name of this new ransomware, BERT, since it is similar to the well-known Google NLP model, sparking confusion and speculation on what it does.

BERT diverges from the generic ransomware molds as he adopts a more persistent and stealthy approach. Traditionally, ransomware focuses on encryption only. BERT on the other hand, fuses encryption with several other obfuscation techniques. Any data locked and held hostage will demand a payment in cryptocurrency.

BERT ransomware does not in any form relate with AI technology; however, the name injects BERT with a potential marketing use that social engineers and ransomware creators capitalize on.

BERT ransomware operates with a defined infection process to maximize stealth, persistence, and impact. While it does not push the boundaries of the industry in terms of encryption, the BERT ransomware infection cycle reflects a polished and sophisticated delivery and evasion mechanism. The infection cycle includes the following steps:

→ Initial Infection: Entry Point

BERT ransomware usually targets users with in-person social engineering attacks. BERT ransomware uses:

Phishing emails with malicious file attachments such as Word or Excel documents with macro scripts.
Links to download scripts or to exploit kits.
Unpatched remote desktop protocols (RDP) or other remote services with known vulnerabilities.

BERT ransomware activates once a user engages with the malicious file, commencing the payload delivery phase.

→ Execution and Payload Deployment

BERT uses fileless payload delivery, only executing it after initial infection. BERT prefers to reside in memory and not be written to the disk, further avoiding detection by signature-based antivirus systems.

Some key behaviors of BERT in execution and payload delivery include but are not limited to:

Using LOLBins such as mshta.exe and powershell.exe to run scripts and commands.
Turning off system protections like the Windows Defender and firewall rules.

Modifying the registry to ensure continued control of the infected machine while avoiding detection.

→ Encryption Routine

BERT uses a hybrid encryption approach to encrypt files:

BERT encrypts files with symmetric encryption using the Advanced Encryption Standard (AES) for fast file encryption.
AES keys are encrypted using the asymmetric algorithm RSA, making decryption nearly impossible without the attacker’s private key.
Each file encrypted has a customized unique extension which is different for each campaign.

→ Ransom Note Deployment

After the encryption, BERT drops a variant of the README_BERT.txt file, which has the ransom note containing:

Guidelines to pay for the ransom using Bitcoin or Monero.
A unique victim ID for communication with BERT.
Intimidation of data leak or permanent loss of the data after a specific time without paying ransom.

BERT has the capability to perform double extortion ie. exfiltrating data before encryption and using the data to blackmail the victim.

→ Command and Control (C2) Communication

BERT uses the C2 for the following:

Sending system and network data.
Sending encrypted files and receiving encryption keys or updated payload instructions.
Sending encrypted files and reporting status of file encryption.

To stay hidden, BERT can use domain generation algorithms (DGA) to contact C2 infrastructure or use encrypted HTTPS channels.

→ Persistence and Cleanup

BERT executes the following tasks to ensure persistence:

Creating scheduled tasks or registry keys to maintain persistence.
This may remove volume shadow copies and turn off recovery options, making rollback complicated.
Some variants are even capable of self-deleting or erasing logs to cover up evidence of the attack.

Even though it’s called BERT ransomware, it doesn’t use AI technologies or Google’s natural language processing BERT model (Bidirectional Encoder Representations from Transformers).”

So, what is BERT ransomware aimed at?

Using AI for branding: Attackers might be using “BERT” for branding reasons to make it appear it has AI functions which adds to their appeal.
Manipulating victims: The name alone can create psychological fear or panic.
Misleading attribution: Associating it with an AI model can mislead investigation or hinder subsequent identification.

In any case, BERT ransomware is simply a well-designed basic malware, and using BERT for branding is still a tactic in itself.

While ransomware tends to follow conventional routes in their attack, BERT has marked itself out by bringing on board elements of social manipulation and psychological maneuvering. BERT stealthily acts and stays out of sight bringing attention only when it wants to be noticed, and only ever delivering what must be delivered when it must be delivered. BERT has perfected the art of hostage-taking, and complies with only an impersonation of what the victim may desire.

⇒Fileless Execution: Runs in memory, avoiding detection by traditional antivirus tools.
⇒Uses Legitimate System Tools (LOLBins): Leverages PowerShell, WMI, etc., to blend into normal activity.
⇒BERT: Summary from a defense perspective what BERT does, called can misdirect.
⇒Double Extortion: The hacker encrypts files, extracting a ransom while simultaneously leaking sensitive data if payment isn’t received.
⇒Disables Recovery: Prevention of effortless recovery by disabling system restore and deleting shadow copies.
⇒Stealthy Communication: Uses DGA to connect to C2 servers with encryption, sometimes employing domain generation algorithms.
⇒Modular Design: Easier customization for various different targets increases complexity for detection and response.
⇒Targets Critical Systems: Frequently attacks servers and domain controllers for the most significant impact.

Considering the stealthy nature of BERT ransomware, a proactive approach combined with layered defenses is a requirement. Protecting your environment can be achieved by:

◊ Detection Tips

Keep track of new scheduled tasks and memory usage.
Monitor networks for suspicious outbound traffic.
Watch for unwanted changes to system backups and shadow copies.

◊ Prevention Strategies

Educate your team to recognize phishing attempts and avoid them.
Consistently apply patches and update both operating systems and third-party software.
Utilize EDR systems that have detections based on behaviors.
Regularly, test restoration processes while backing up important data and storing them offline.
Modify your network to prevent the spread of ransomware.

Swift action is the best way to minimize the damage caused by a suspected BERT ransomware infection.

Immediately, disconnect the affected system(s) from the network.
Do not reboot the system as components that are residing in memory may disappear.
Hire an incident response team for containment and forensics.
Notify local CERTs and law enforcement.
Examine the data breach disclosure obligations involving personal data.
Restoration should be initiated from the backups that have been previously verified as clean.

Conclusion

BERT ransomware serves as a warning sign of what’s to come, malware strains that not only evolve technically but also manipulate perception through clever naming and social engineering. While BERT isn’t AI-driven, its deceptive nature is a blueprint for future attacks that may blend real AI with cyber extortion.

The best defense? Preparedness, vigilance, and resilience. Invest in layered security, educate your workforce, and stay updated on threat intelligence. Cyber attackers are innovating, it’s time defenders do the same.

VAPT Service

Looking to test your defenses against ransomware like BERT?, Contact StrongBox IT for a tailored VAPT service or ransomware readiness assessment today.