Bearlyfy’s Cyber Onslaught: Over 70 Russian Firms Targeted with Custom GenieLocker Ransomware
Since its emergence in January 2025, the pro-Ukrainian cyber group known as Bearlyfy has orchestrated a series of cyber attacks against Russian enterprises, culminating in over 70 incidents to date. The group’s latest offensive involves the deployment of a bespoke Windows ransomware variant named GenieLocker, marking a significant evolution in their cyber warfare tactics.
Bearlyfy’s Dual-Purpose Strategy
Operating under the alias Labubu, Bearlyfy’s mission is twofold: to inflict substantial damage on Russian businesses through financial extortion and to execute acts of sabotage. This dual approach underscores the group’s intent to destabilize and disrupt Russian corporate operations.
Evolution of Attack Methods
Initially documented by Russian cybersecurity firm F6 in September 2025, Bearlyfy’s early operations utilized encryptors linked to LockBit 3 (Black) and Babuk ransomware. These initial attacks primarily targeted smaller companies, with ransom demands escalating to approximately €80,000 (around $92,100). By August 2025, the group had claimed at least 30 victims, signaling a rapid expansion in their activities.
In May 2025, Bearlyfy incorporated a modified version of PolyVice ransomware into their arsenal. PolyVice is associated with the Vice Society group, known for deploying various third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware. This strategic shift indicates Bearlyfy’s adaptability and willingness to leverage existing ransomware tools to enhance their attack capabilities.
Connections to Other Threat Actors
Further analysis reveals operational overlaps between Bearlyfy and PhantomCore, another group aligned with Ukrainian interests. Since 2022, PhantomCore has targeted Russian and Belarusian companies, suggesting a coordinated effort among pro-Ukrainian cyber entities. Additionally, Bearlyfy is reported to have collaborated with Head Mare, further expanding their network and resources.
Tactics and Techniques
Bearlyfy’s attack methodology typically begins with exploiting vulnerabilities in external services and applications to gain initial access. Once inside, they deploy tools like MeshAgent to establish remote access, facilitating data encryption, destruction, or modification. This approach contrasts with PhantomCore’s more traditional Advanced Persistent Threat (APT) campaigns, which emphasize reconnaissance, persistence, and data exfiltration.
A distinctive feature of Bearlyfy’s operations is the rapid execution of attacks with minimal preparation. Unlike conventional ransomware campaigns where ransom notes are generated automatically by the malware, Bearlyfy’s attackers craft these notes manually. This tactic allows for personalized messages designed to exert psychological pressure on victims, increasing the likelihood of ransom payment.
Financial Impact and Ransom Demands
Bearlyfy’s activities have proven financially lucrative, with approximately 20% of victims opting to pay the ransom. The group’s ransom demands have escalated over time, reaching into the hundreds of thousands of dollars. This trend reflects both the increasing sophistication of their attacks and the significant impact on targeted organizations.
Introduction of GenieLocker Ransomware
In March 2026, Bearlyfy introduced GenieLocker, a proprietary ransomware targeting Windows systems. GenieLocker’s encryption scheme draws inspiration from the Venus and Trinity ransomware families, indicating a strategic evolution in Bearlyfy’s technical capabilities. Notably, the ransom notes associated with GenieLocker are not automatically generated by the malware. Instead, the attackers deliver these notes through alternative methods, such as direct communication, to enhance the psychological impact on victims.
Conclusion
Bearlyfy’s rapid progression from unsophisticated attacks to complex, coordinated cyber operations within a year underscores the evolving threat landscape faced by Russian businesses. The group’s ability to adapt and innovate poses a significant challenge to cybersecurity defenses, highlighting the need for continuous vigilance and advanced protective measures.
