Prefer watching instead of reading? Watch the video here. Prefer reading instead? Scroll down for the full text. Prefer listening instead? Scroll up for the audio player.
P.S. The video and audio are in sync, so you can switch between them or control playback as needed. Enjoy Greyhound Standpoint insights in the format that suits you best. Join the conversation on social media using #GreyhoundStandpoint.
A new threat actor, BERT, has emerged as a fast-moving ransomware group that has rapidly expanded its activity across Asia, Europe, and the US. Discovered in April, BERT is targeting both Windows and Linux systems.
“CISOs are now contending with two emerging archetypes of ransomware: ‘loud-lockers’ like the Gunra group that use multithreading and anti-recovery routines to lock down systems instantly, and ‘quiet siphoners’ like the Silent Ransom group who avoid malware entirely. Groups like Mamona represent a third hybrid—quick but malware-light, often operating offline and deleting traces post-execution,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research.
Gogia added that this evolution demands layered defences that prioritise blast radius containment, process forensics, and deception-based detection. Legacy AV, EDR, and perimeter tools alone cannot keep pace with this modular, multi-variant model of threat execution.
As quoted in CSOonline.com, in an article authored by Nidhi Singal published on July 9, 2025.
Beyond the Media Quote: Our View, In Full
Pressed for time? You can focus solely on the Greyhound Flashpoints that follow. Each one distills the full analysis into a sharp, executive-ready takeaway — combining our official Standpoint, validated through Pulse data from ongoing CXO trackers, and grounded in Fieldnotes from real-world advisory engagements.
Why Simple Ransomware Like BERT Still Breaches Complex Enterprise Networks
Greyhound Flashpoint — BERT proves that ransomware no longer needs to be complex to be catastrophic. According to Greyhound CIO Pulse 2025, 48% of CISOs across Asia and Europe are more concerned about “low-code” ransomware strains like BERT than traditional APTs. BERT uses Windows-native scripting and Linux payloads to evade detection while delivering multi-threaded encryption that rapidly cripples systems—including ESXi virtual machines. This is not a failure of code quality—it’s a failure of detection strategy.
Greyhound Standpoint — According to Greyhound Research, BERT exemplifies the shift from flashy malware to function-first attacks. Its cross-platform payloads are modular, its PowerShell loaders disable defences silently, and its encryption engine uses concurrent threading to encrypt hundreds of files in seconds. Unlike high-profile RaaS platforms, BERT does not rely on volume—it relies on velocity. The group targets fundamental security gaps: over-permissive scripting, unmonitored privileged access, and virtualisation blind spots. These make BERT especially lethal in healthcare, logistics, and multi-cloud environments where operational latency is not tolerated.
Greyhound Pulse — Per CIO Pulse 2025, 53% of mid-market enterprises in Europe and Asia have deprioritised script execution auditing in favour of signature-based malware scanning. Among these, 41% acknowledged insufficient visibility into PowerShell usage across administrative endpoints. In the context of BERT, this skewed prioritisation is fatal—detection mechanisms are designed to spot anomalies that never register, because the ransomware “lives off the land.”
Greyhound Fieldnote — Per a recent Greyhound Fieldnote from a Central European healthcare client, an infection event attributed to BERT bypassed their EDR suite entirely. A scripted PowerShell loader—executed under a legitimate service account—disabled Microsoft Defender and local firewall policies before encrypting data across both Windows and Linux endpoints. The team discovered that VM hypervisors had been forcibly shut down via shell commands embedded in the payload. The breach triggered a complete redesign of their lateral privilege boundaries and VM isolation policies.
What Gaps in Enterprise Cyber Defence BERT Is Exploiting
Greyhound Flashpoint — BERT exploits architectural complacency. According to Greyhound CIO Pulse 2025, 39% of healthcare and technology CISOs still lack enforcement policies for tools like PowerShell, PsExec, and WMIC. BERT leverages these native utilities to mimic legitimate system behaviour, avoiding signature detection while disabling core defences. In many cases, it’s not a question of whether the breach was visible—it’s a question of whether anyone was looking in the right place.
Greyhound Standpoint — According to Greyhound Research, BERT thrives in the interstitial gaps between security tooling and policy enforcement. Its loaders disable UAC, firewall services, and Defender—all via known scripting methods. Yet these activities often fly under the radar because enterprise SOCs continue to treat scripting as a hygiene issue, not a kill chain enabler. BERT’s infection pathways highlight how poorly segmented workloads, excessive admin privileges, and under-instrumented Linux VMs create a fertile environment for execution without escalation.
Greyhound Pulse — The CIO Pulse 2025 study confirms that 62% of respondents with under 5,000 employees describe their security stack as “difficult to manage coherently.” This includes alert fatigue, weak integration across endpoint and SIEM tools, and missed patches—especially in virtualisation platforms like ESXi. Among these, only 31% have implemented just-in-time access controls or script execution policies—making it trivially easy for actors like BERT to deploy payloads under the guise of maintenance or remote diagnostics.
Greyhound Fieldnote — In a recent Fieldnote from a Southeast Asian events services provider, BERT ransomware spread laterally through an RMM tool misconfigured with persistent elevated access. A technician’s credentials were reused, allowing batch scripts to be executed over remote desktop without triggering alerts. The SOC initially failed to correlate this with a breach due to the absence of command-and-control traffic. Post-incident, the company instituted mandatory session logging and adaptive policy enforcement for third-party vendors.
Detection and Prevention Lessons from BERT’s Tactics
Greyhound Flashpoint — The rise of ransomware like BERT calls for a shift from alerting to attestation. Greyhound CIO Pulse 2025 reveals that 58% of SOC leaders are prioritising real-time telemetry enrichment over static rule-based detection. BERT uses tools like PsExec, WMIC, and ConcurrentQueue threading—not exotic malware—to wreak havoc. Catching it requires understanding what normal looks like, not just what abnormal resembles.
Greyhound Standpoint — According to Greyhound Research, BERT’s TTPs are not unique—they are just effective. It escalates privileges silently, disables defences systematically, and uses multithreaded encryption to shrink dwell time to minutes. SOCs must move from IOC-centric models to TTP-aware, behaviour-correlated detection architectures. BERT doesn’t “break in” as much as it “walks in” using stolen or weak credentials and exploits native tools. Defending against such a model requires identity-focused analytics, east-west telemetry, and enforcement of per-session baselines—especially on administrative workstations and virtual servers.
Greyhound Pulse — Per Greyhound CIO Pulse 2025, only 29% of enterprise SOCs conduct monthly emulation exercises to simulate stealthy script-based ransomware deployment. Worse, in mid-tier firms (under 2,500 employees), that number falls below 18%. Without red-teaming to mimic attacks like BERT’s, detection playbooks remain reactive and blind to new permutations—even when those permutations use known techniques.
Greyhound Fieldnote — In a simulation exercise led by Greyhound for a Nordic telecom operator, red team members executed BERT-style techniques using PowerShell scripts under a low-privilege user. The payload disabled shadow copies, encrypted data, and deleted itself—without triggering a single alert. The firm’s SIEM was collecting telemetry, but lacked correlation logic to flag script behaviour executed under legitimate credentials. This friction forced an architectural review of detection coverage across identity, endpoint, and script audit layers.
A Shift Toward Simpler, Stealthier, Modular Ransomware—And What It Demands of CISOs
Greyhound Flashpoint — The ransomware landscape has entered a low-code era. According to Greyhound Sector Pulse 2025, 42% of new ransomware strains observed since April 2025—including BERT, Gunra, Silent Ransom Group, and Mamona—leverage modular code, fileless execution, or offline encryption routines. The trend is clear: ransomware actors no longer need advanced toolchains to succeed—they need fast, quiet, and adaptable payloads.
Greyhound Standpoint — According to Greyhound Research, CISOs are now contending with two emerging archetypes of ransomware: “loud-lockers” like Gunra that use multithreading and anti-recovery routines to lock down systems instantly, and “quiet siphoners” like Silent Ransom Group who avoid malware entirely. Groups like Mamona represent a third hybrid—quick but malware-light, often operating offline and deleting traces post-execution. This evolution demands layered defences that prioritise blast radius containment, process forensics, and deception-based detection. Legacy AV, EDR, and perimeter tools alone cannot keep pace with this modular, multi-variant model of threat execution.
Greyhound Pulse — Per Sector Pulse 2025, only 33% of surveyed CISOs reported that their ransomware readiness exercises now include fileless or modular variants. Among organisations using MDR providers, 59% were unaware of gaps in coverage for non-C2-based attacks like Mamona. The rise of off-the-shelf ransomware kits—some selling for under $300—has flooded the ecosystem with variants that may never trip a single signature rule.
Greyhound Fieldnote — Per a recent Greyhound Fieldnote from a Middle Eastern fintech provider, the firm faced two ransomware incidents in 90 days: Gunra encrypted 200GB of user data via multithreaded payloads; later, Mamona deployed a zero-C2 ransomware that encrypted 50GB and deleted itself within 30 seconds. Neither attack was caught by existing MDR tooling. In response, the CISO mandated deployment of endpoint canaries and implemented “honeypot scripting” to detect misuse of native tools—shifting posture from detection to entrapment.
Analyst In Focus: Sanchit Vir Gogia
Sanchit Vir Gogia, or SVG as he is popularly known, is a globally recognised technology analyst, innovation strategist, digital consultant and board advisor. SVG is the Chief Analyst, Founder & CEO of Greyhound Research, a Global, Award-Winning Technology Research, Advisory, Consulting & Education firm. Greyhound Research works closely with global organizations, their CxOs and the Board of Directors on Technology & Digital Transformation decisions. SVG is also the Founder & CEO of The House Of Greyhound, an eclectic venture focusing on interdisciplinary innovation.
Copyright Policy. All content contained on the Greyhound Research website is protected by copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior written permission of Greyhound Research or, in the case of third-party materials, the prior written consent of the copyright owner of that content. You may not alter, delete, obscure, or conceal any trademark, copyright, or other notice appearing in any Greyhound Research content. We request our readers not to copy Greyhound Research content and not republish or redistribute them (in whole or partially) via emails or republishing them in any media, including websites, newsletters, or intranets. We understand that you may want to share this content with others, so we’ve added tools under each content piece that allow you to share the content. If you have any questions, please get in touch with our Community Relations Team at connect@thofgr.com.
Discover more from Greyhound Research
Subscribe to get the latest posts sent to your email.