New Ransomware Group Everest Targets Healthcare and Tech Firms
Ransomware Group everest Hits: Rezayat Group
In a recent cybersecurity incident, the Rezayat Group suffered a ransomware attack by the group known as everest. This data breach was discovered on July 13, 2025, following the actual breach occurring on July 8, 2025.
Incident Report
| Attribute | Information |
|---|---|
| Target Organization | Rezayat Group |
| Threat Group | everest |
| Summary | Rezayat Group is a diversified multinational conglomerate based in Saudi Arabia, engaged in sectors such as oil & gas, petrochemicals, power generation, construction, real estate, trading, and healthcare. They collaborate with various global partners to provide services and products worldwide. |
| Date of Breach | July 8, 2025 |
| Discovery Date | July 13, 2025 |
| Region | Saudi Arabia |
| Business Sector | Manufacturing |
Organizations can check if their data has been exposed using the free Data Breach Checker.
Disclaimer: HookPhish does not engage in the exfiltration, downloading, taking, hosting, viewing, reposting, or disclosure of any stolen information. All reported breach data is sourced from publicly available threat intelligence feeds for awareness purposes only.
Beware of Bert: New Ransomware Group Targets Healthcare and Tech Firms
A new ransomware group named Bert has been reported to breach organizations across Asia, Europe, and the U.S., particularly targeting the healthcare, technology, and event services sectors. Researchers from Trend Micro first identified the group in April 2023, detailing their findings in a report.
Image courtesy of The Record from Recorded Future News
The ransomware has been known to infect both Windows and Linux systems. Although the method of initial access remains unclear, researchers found a PowerShell script that disables security tools on the infected systems before downloading and executing the ransomware.
Once the ransomware is inside a system, it leaves a ransom note stating: “Hello from Bert! Your network is hacked and files are encrypted,” along with instructions for contacting the attackers to negotiate payment. The ransomware is under active development, with several variants observed.
While no specific actor has been formally linked to these attacks, the use of Russian infrastructure may indicate ties to groups operating in or affiliated with the region. Some researchers suggest that Bert may have roots in the Linux variant of REvil, a notorious ransomware gang that was dismantled in 2021. Elements of REvil's code appear to have been reused in Bert.
Earlier in June, a Russian court sentenced members of the REvil gang to five years in prison but released them immediately after the verdict, citing time served in pre-trial detention. This case was unrelated to REvil’s high-profile ransomware attacks and involved trafficking stolen payment data and the use of malicious software for carding fraud.