An Emerging Ducktail Infostealer – Active IOCs
July 8, 2025An Emerging Ducktail Infostealer – Active IOCs
July 8, 2025Severity
High
Analysis Summary
Security researchers have identified the Bert ransomware group, also tracked as Water Pombero, actively targeting organizations across the US, Asia, and Europe since April 2025. Confirmed victims include those in healthcare, technology, and event services. The group uses multiple ransomware variants and rapidly evolving tactics to evade detection.
Bert downloads and executes ransomware from a remote IP address registered in Russia, suggesting a potential regional link, although attribution remains unconfirmed. It targets both Windows and Linux systems, leveraging familiar tools and continuously refining its tactics, techniques, and procedures.
The Windows variant uses straightforward code with process termination strings and AES encryption, dropping ransom notes and public keys visibly. Newer variants optimize multi-threaded encryption by employing ConcurrentQueue and DiskWorker structures, allowing immediate encryption of discovered files rather than sequential enumeration.
In May, researchers observed a Linux variant utilizing 50 threads for rapid encryption, targeting ESXi hosts by forcibly terminating running virtual machines. It appends the extension .encrypted_by_bert and drops a ransom note named encrypted_by_bert-decrypt.txt. The variant includes a JSON-formatted configuration within the binary for easy adaptability and customization, resembling the REvil Linux ransomware.
The group frequently abuses PowerShell for privilege escalation and defense evasion. PowerShell scripts are used to launch processes with administrator privileges using the -Verb RunAs parameter and to disable Windows firewall profiles with Set-NetFirewallProfile. Such abuse aids ransomware deployment and limits detection.
Researchers emphasizes that emerging ransomware groups like Bert demonstrate how even simple tools can achieve effective infections, underscoring the need for organizations to monitor PowerShell usage closely and detect unauthorized script execution to prevent privilege escalation, security tool disabling, and rapid system-wide encryption.
Impact
- Privilege Escalation
- Operational Disruption
- Financial Loss
- Sensitive Data Theft
Indicators of Compromise
IP
- 185.100.157.74
MD5
- 58008524a6473bdf86c1040a9a9e39c3
- 1b5c3c458e31bede55145d0644e88d75
- 71dc9540eb03f2ed4d1b6496b13fe839
- 38ce06bf89b28ccebf5a78404eb3818e
- b365af317ae730a67c936f21432b9c71
- 29a2cc59a9ebd334103ce146bca38522
SHA-256
- 1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
- 70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4
- 8478d5f5a33850457abc89a99718fc871b80a8fb0f5b509ac1102f441189a311
- b2f601ca68551c0669631fd5427e6992926ce164f8b3a25ae969c7f6c6ce8e4f
- bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
- c7efe9b84b8f48b71248d40143e759e6fc9c6b7177224eb69e0816cc2db393db
SHA1
- cb704d2e8df80fd3500a5b817966dc262d80ddb8
- a21c84c6bf2e21d69fa06daaf19b4cc34b589347
- 7aa1de73654f7d6605c81d93f89245a8969d5b9c
- f65aec7f7bc57218adaa970963b386eeecdc107d
- a0bdfac3ce1880b32ff9b696458327ce352e3b1d
- 4a4a58abebe37642c1ed3411e3154d1f68bca4d3
URL
- http://185.100.157.74/payload.exe
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Monitor and restrict PowerShell usage to prevent privilege escalation and malware execution.
- Implement endpoint detection and response (EDR) solutions to identify suspicious activities.
- Regularly backup critical data and store backups offline to ensure recovery.
- Apply timely security patches to close vulnerabilities exploited by ransomware.
- Enforce least privilege access controls to limit attacker movement.
- Monitor network traffic for connections to suspicious or foreign IP addresses.
- Segment networks to isolate critical systems and limit ransomware spread.
- Educate employees on phishing and social engineering to reduce initial compromise risks.
- Deploy application whitelisting to block unauthorized script and program execution.
- Conduct regular ransomware response exercises to improve incident readiness.