Pro-Ukrainian hacking group Bearlyfy has evolved from opportunistic attacks to deploying a proprietary Windows ransomware strain called GenieLocker, targeting Russian businesses with sophisticated extortion campaigns.
A pro-Ukrainian hacking collective known as Bearlyfy has escalated its cyber operations against Russian businesses, deploying a custom ransomware strain called GenieLocker that represents a significant evolution in the group's capabilities and targeting strategy.
From LockBit to Proprietary Ransomware
The group, which also operates under the alias Labubu, first emerged in January 2025 and has since conducted over 70 cyber attacks against Russian companies. Initially, Bearlyfy relied on established ransomware families including LockBit 3.0 (Black) and Babuk encryptors, targeting smaller businesses before progressively moving upmarket.
By August 2025, the group had claimed at least 30 victims, with ransom demands reaching €80,000 (approximately $92,100). The threat actors demonstrated a pattern of rapid evolution, experimenting with various toolsets before developing their own capabilities.
Technical Evolution and Toolset Development
Beginning in May 2025, Bearlyfy incorporated a modified version of PolyVice ransomware, a family historically associated with Vice Society operations. This variant has been used to deliver multiple third-party lockers including Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in previous campaigns.
Security researchers have identified infrastructure overlaps between Bearlyfy and PhantomCore, another pro-Ukrainian group active since 2022. While Bearlyfy conducts rapid-fire attacks with minimal preparation, PhantomCore employs more sophisticated APT-style campaigns focused on reconnaissance, persistence, and data exfiltration.
The group has also collaborated with Head Mare, another threat actor in the pro-Ukrainian cyber ecosystem. Initial access is typically gained through exploitation of external services and vulnerable applications, followed by deployment of tools like MeshAgent to establish remote access capabilities.
The GenieLocker Breakthrough
The most significant development occurred in early March 2026 when Bearlyfy began deploying GenieLocker, a proprietary ransomware family targeting Windows endpoints. This marks a departure from the group's previous reliance on third-party encryptors and demonstrates substantial technical advancement.
GenieLocker's encryption scheme draws inspiration from Venus and Trinity ransomware families, suggesting the threat actors studied existing malware architectures before developing their own variant. The ransomware represents a maturation of Bearlyfy's capabilities from opportunistic attacks to sophisticated, targeted operations.
Psychological Warfare Tactics
One of the most distinctive aspects of Bearlyfy's operations is their approach to ransom communication. Unlike typical ransomware campaigns where notes are automatically generated by the encryption software, Bearlyfy actors craft their own messages directly.
These communications range from simple contact details to elaborate psychological pressure tactics designed to force victims into paying. This personalized approach suggests a level of sophistication beyond purely technical capabilities, indicating the group understands the human element of extortion campaigns.
Financial Impact and Success Rate
According to security vendor F6, approximately 20% of Bearlyfy's victims choose to pay the ransom, making the group's operations a profitable illicit revenue stream. Ransom demands have escalated significantly, with some reaching hundreds of thousands of dollars as the group targets larger enterprises.
Attribution and Context
The emergence of Bearlyfy highlights the growing sophistication of pro-Ukrainian cyber operations targeting Russian interests. The group's rapid evolution from experimental attacks to deploying custom ransomware against major enterprises demonstrates how quickly threat actors can develop capabilities when motivated by geopolitical objectives.
Security experts note that Bearlyfy's trajectory mirrors patterns seen in other politically motivated hacking groups, where initial experimentation gives way to more organized, financially motivated operations. The combination of political motivation and financial incentives creates a powerful driver for capability development.
Implications for Russian Businesses
Russian enterprises now face an evolving threat landscape where previously opportunistic attackers have developed sophisticated capabilities. The deployment of custom ransomware like GenieLocker suggests these groups are investing in long-term operations rather than one-off attacks.
Organizations in the targeted region should expect continued evolution of these threat actors' capabilities, with potential for even more sophisticated attacks as groups like Bearlyfy refine their techniques and expand their targeting criteria.
The case of Bearlyfy demonstrates how quickly cyber threat actors can evolve from using existing tools to developing custom capabilities, particularly when operating in a politically charged environment with financial incentives.
Comments
Please log in or register to join the discussion