Encrypted and Cornered: Inside the World of Bert Ransomware
Table of Contents
What Is Bert Ransomware?
Bert is a strain of ransomware that targets users by encrypting their files and locking them out of their data. It renames each file with a distinct marker, appending the ".encryptedbybert" extension. For example, a file once named "document.pdf" becomes "document.pdf.encryptedbybert," signaling that the content is no longer accessible without a decryption key.
Along with the altered filenames, Bert leaves behind a ransom note titled ".note.txt." This note is more than just a warning—it's a direct communication from the attackers. Victims are informed that their entire network has been compromised, their data encrypted, and, alarmingly, that sensitive information has been stolen.
Here's what the ransom note says:
Hello from Bert!
Your network is hacked and files are encrypted.
We download some important files from your network.Instructions for contacting our team:
Download the (Session) messenger (https://getsession.org) in messenger :ID 05149ef8a65c342bc76bad335ad3a314ec1321b18cdb6092667083b4e56a4dcb41xxxxxxxxxxxxxxxxxxxxxxxxxxx.onion our blog
The Ransom Note’s Demands
Unlike many ransomware variants that offer email contact, Bert directs victims to communicate through the Session app using a specific Session ID. This choice suggests a desire for greater anonymity and security on the part of the attackers. The message within the note typically insists that the only way to recover access to the encrypted files is by paying a ransom for a decryption service.
This tactic preys on urgency and fear. However, it is essential to remember that even after paying, victims may not receive the promised decryption tool. In many cases, attackers simply take the money and disappear, making payment a gamble with poor odds and long-term consequences.
What Ransomware Programs Aim to Do
Ransomware like Bert follows a straightforward yet destructive model: it encrypts the victim's files, announces the attack, and demands payment in exchange for restoration. What makes ransomware especially dangerous is that it can strike individuals, businesses, and even public institutions, bringing operations to a halt and putting sensitive information at risk.
Bert adds an extra layer of pressure by claiming to have exfiltrated confidential data from the network. This doubles the threat—not only are files inaccessible, but they may also be exposed, leaked, or sold if the ransom isn't paid. This dual-threat approach is becoming increasingly common in ransomware attacks and underscores how cybercriminals continue to evolve their methods.
Can Victims Recover Without Paying?
Recovering from a Bert ransomware infection without paying the attackers depends on several factors. If a user maintains recent, clean backups stored separately from the infected network, they can restore their system without engaging with the criminals. Additionally, in rare cases, security researchers may develop a free decryption tool, though this is not guaranteed.
The first step in recovery is to remove the ransomware from the system entirely. This doesn't unlock the encrypted files but prevents further damage and stops the malware from spreading to other devices on the network. Without immediate containment, Bert can encrypt additional files and potentially infect connected systems.
How Bert Spreads: A Familiar Path
Like other ransomware strains, Bert relies heavily on social engineering and deceptive tactics to spread. Malicious documents—often disguised as PDFs, Word files, or ZIP archives—are a common method of infection. Users may receive these through phishing emails or fraudulent websites, with instructions that encourage them to open the files or enable content such as macros, which triggers the malware.
Infection can also happen through infected USB drives, file-sharing platforms, pirated software, or even fake system update alerts. Ransomware often exploits human error more than technical vulnerabilities, making user awareness a key factor in defense.
How to Stay Protected Against Ransomware
The best way to defend against ransomware like Bert is to combine proactive cybersecurity habits with technical safeguards. First and foremost, keep regular backups of important files—preferably in multiple locations, such as external drives and cloud storage services. These backups should be disconnected from the main system when not in use to prevent them from being encrypted as well.
Equally important is maintaining a strong security posture: using antivirus tools, keeping software updated, and avoiding downloads from unverified sources. Users should also be cautious when dealing with unsolicited emails, especially those containing attachments or links. The less exposure to potentially infected content, the lower the risk of an attack.
The Bottom Line: Don’t Let Ransomware Win
Bert ransomware reminds us once again of the increasing sophistication and frequency of cyberattacks today. While its methods follow a familiar pattern—encrypt, threaten, demand—it introduces nuances like data theft and secure messaging channels that make it particularly invasive.
Although there's no guaranteed method of recovery after a ransomware attack, awareness and preparation can make a significant difference. By understanding how malware like Bert operates and adopting strong prevention strategies, users can reduce their vulnerability and improve their chances of recovery—without funding criminal enterprises.
