Pro-Ukrainian Group Bearlyfy Escalates Cyber Attacks on Russian Entities, Deploying New GenieLocker Ransomware

Since its emergence in the threat landscape in January 2025, the pro-Ukrainian cyber group known as Bearlyfy, also identified as Labubu, has been attributed to over 70 distinct cyber attacks targeting Russian companies. The group’s latest and most significant tactical evolution involves the deployment of a custom Windows ransomware strain, codenamed GenieLocker, marking a critical escalation in its operational capabilities and threat posed to Russian businesses. This development underscores the persistent and evolving nature of cyber warfare intersecting with geopolitical conflicts, as reported by Russian security vendor F6. The dual objectives of Bearlyfy’s campaigns—extortion for financial gain and acts of sabotage—highlight a hybrid approach that aims to inflict maximum economic and operational disruption on its targets.

From Genesis to Escalation: A Timeline of Bearlyfy’s Operations

Bearlyfy first came to public attention through documentation by F6 in September 2025. Initially, the group’s activities were characterized by the opportunistic leveraging of existing ransomware families, specifically encryptors associated with LockBit 3 (Black) and Babuk. These early intrusions primarily focused on smaller companies, likely as a proving ground for their methodologies and an initial source of illicit revenue. As the group gained experience and confidence, its operations expanded in scope and ambition. By August 2025, Bearlyfy had already claimed at least 30 victims, demonstrating a rapid increase in operational tempo and reach. Concurrently, the group began to escalate its ransom demands, with initial figures reaching approximately €80,000 (around $92,100), signaling a clear intent to maximize financial returns from their malicious activities.

The rapid progression from targeting smaller entities with relatively modest demands to challenging larger enterprises with significant financial expectations reflects a group quickly maturing in its operational framework. This evolution is not uncommon in the cybercriminal underworld, where initial successes often fuel further investment in tools, infrastructure, and talent. However, Bearlyfy’s overt pro-Ukrainian stance introduces a complex layer of motivation, blending traditional cybercrime’s profit motive with elements of politically charged hacktivism, aiming to destabilize adversaries through digital means.

Evolving Arsenal: From Off-the-Shelf to Custom Ransomware

Bearlyfy’s operational history reveals a dynamic adaptation of its toolset, indicative of a group continuously seeking more effective and potent methods of attack.

• Early Encryptors and Tactical Adaptations:
  Beginning in May 2025, a significant shift in Bearlyfy’s ransomware arsenal was observed. The group started utilizing a modified version of PolyVice, a ransomware family originally attributed to Vice Society. Vice Society, also known by its threat actor designations DEV-0832 or Vanilla Tempest, has a documented history of deploying a variety of third-party lockers in its campaigns, including notorious strains such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware. Bearlyfy’s adoption and modification of PolyVice suggest an effort to enhance their capabilities by incorporating proven, robust encryption mechanisms while potentially customizing them for their specific operational needs or to evade detection. This move away from purely off-the-shelf LockBit or Babuk variants towards a modified, more specialized tool like PolyVice marked an important step in their technical development. The use of PolyVice also hinted at a possible learning curve or even direct collaboration with elements familiar with Vice Society’s operations, allowing Bearlyfy to quickly integrate sophisticated attack methodologies.

• The Arrival of GenieLocker: A New Threat Vector:
  The most noteworthy strategic and technical shift in Bearlyfy’s modus operandi came to light in March 2026 with the introduction of GenieLocker. This proprietary ransomware family is specifically designed to target Windows endpoints, signifying Bearlyfy’s transition from relying on adapted third-party tools to developing its own bespoke malicious software. F6’s analysis indicates that GenieLocker’s encryption scheme draws inspiration from established ransomware families such as Venus and Trinity, suggesting a thorough understanding of effective cryptographic principles and a deliberate attempt to create a potent and resilient locker.

  The development of GenieLocker is a critical indicator of Bearlyfy’s increasing sophistication and commitment to its objectives. Custom ransomware strains offer several advantages to threat actors, including greater control over the attack lifecycle, reduced reliance on external developers or marketplaces, and enhanced ability to tailor the malware’s features for specific targets or operational environments. Furthermore, proprietary ransomware can often bypass standard security detections that are configured to identify known signatures of widely distributed malware, presenting a more formidable challenge for defenders. This bespoke tool allows Bearlyfy to operate with greater autonomy and potentially increase the success rate of their encryption attacks, solidifying their position as a significant and evolving threat.

  

The Modus Operandi: Speed, Pressure, and Unique Demands

Bearlyfy’s operational tactics are characterized by distinct features that set it apart from many other ransomware groups. Their attacks are described by F6 as "rapid-fire," indicating minimal preparation time and swift execution. This approach prioritizes speed in data encryption, aiming to compromise systems and encrypt valuable information before defenders can react effectively. Such rapid execution can be particularly devastating for organizations with limited real-time monitoring or incident response capabilities.

A particularly distinctive trait of Bearlyfy’s ransomware attacks, especially with the introduction of GenieLocker, is the manual generation of ransom notes. Unlike many ransomware strains that automatically drop or display a standardized ransom message upon encryption, Bearlyfy’s actors opt for a more hands-on approach. This involves directly crafting and sharing "next steps" with victims, which can range from simple contact details to elaborate messages designed to exert psychological pressure. This personalized approach to victim interaction suggests a deliberate strategy to maximize the likelihood of ransom payment. By tailoring messages, attackers can exploit specific vulnerabilities, leverage information gathered during the breach, or simply create a more convincing and intimidating narrative, thereby increasing the perceived urgency and hopelessness of the situation for the victim. This method also allows for dynamic negotiation tactics, adapting to the victim’s responses and potentially increasing the final ransom amount.

Initial access for Bearlyfy’s attacks typically relies on the exploitation of external services and vulnerable applications. This often involves scanning for publicly exposed services with known weaknesses, such as unpatched software, weak credentials, or misconfigurations. Once initial access is gained, the group deploys tools like MeshAgent to establish remote access. MeshAgent, a legitimate remote management tool, is frequently abused by threat actors for covert access and control over compromised systems. Its use facilitates further malicious activities, including data exfiltration, lateral movement within the network, and ultimately, the encryption, destruction, or modification of critical data. The combination of rapid infiltration, sophisticated remote access, and psychologically-driven ransom demands paints a picture of a highly adaptive and effective cyber adversary.

Interconnections and Collaborations: The Broader Pro-Ukrainian Cyber Landscape

Bearlyfy does not operate in isolation but appears to be part of a broader network of pro-Ukrainian cyber actors, demonstrating overlaps and collaborations with other groups sharing similar geopolitical interests.

• Overlaps with PhantomCore: A Tale of Two Approaches:
  Further analysis of Bearlyfy’s toolset and infrastructure has uncovered overlaps with PhantomCore, another group assessed to be operating with Ukrainian interests in mind. PhantomCore has been known to target Russian and Belarusian companies since 2022, indicating a longer operational history in the context of the ongoing conflict. However, while sharing a similar geopolitical alignment, the operational methodologies of Bearlyfy and PhantomCore exhibit distinct differences. PhantomCore is characterized by its Advanced Persistent Threat (APT)-style campaigns, which involve extensive reconnaissance, meticulous planning, establishment of long-term persistence within target networks, and sophisticated data exfiltration operations. This contrasts sharply with Bearlyfy’s "rapid-fire attacks," which prioritize swift encryption and disruption. These differences suggest a division of labor or specialized roles within the broader pro-Ukrainian cyber ecosystem, with some groups focusing on long-term intelligence gathering and others on immediate disruptive impact and financial gain. The overlap could indicate shared resources, intelligence, or even personnel, operating under different guises for distinct tactical objectives.

• Strategic Alliances: The Case of Head Mare:
  Beyond PhantomCore, Bearlyfy is also reported to have collaborated with Head Mare, another entity in the pro-Ukrainian cyber landscape. Such collaborations are common in the cybercriminal and hacktivist spheres, allowing groups to pool resources, share expertise, or jointly execute complex operations. These alliances can amplify the impact of individual groups, providing access to a wider range of targets, more sophisticated tools, or greater resilience against countermeasures. The existence of these interconnections underscores the organized nature of certain elements within the pro-Ukrainian cyber front, moving beyond isolated acts of hacktivism to more coordinated and impactful campaigns.

Financial Impact and the Cost of Cyber Warfare

The financial implications of Bearlyfy’s attacks are substantial, proving to be an illicit yet lucrative revenue stream for the group. According to data compiled by F6, approximately one in five victims of Bearlyfy’s attacks ultimately opt to pay the demanded ransom. This relatively high payment rate, compared to industry averages for ransomware, highlights the effectiveness of Bearlyfy’s tactics, including their rapid encryption, the critical nature of the data they target, and their psychologically manipulative ransom notes.

The initial ransom demands, which started around €80,000, have reportedly escalated significantly, now reaching "hundreds of thousands of dollars." This upward trend in demands reflects Bearlyfy’s increasing confidence, its ability to target larger and more valuable enterprises, and potentially a greater perceived success rate in extorting payments. For Russian businesses, these attacks represent not only direct financial losses from ransom payments but also significant costs associated with business disruption, data recovery, reputational damage, and enhanced cybersecurity measures. The economic toll inflicted by Bearlyfy and similar groups contributes to the broader financial strain on Russian industries, adding a digital dimension to ongoing geopolitical pressures.

Expert Analysis and the Strategic Implications

The trajectory of Bearlyfy, as observed by cybersecurity experts, presents a stark example of rapid evolution within a threat group. F6 analysts noted that "While in its early stages, Bearlyfy members demonstrated a lack of sophistication and were clearly experimenting with various techniques and toolsets, within the span of a single year, this group has evolved into a veritable nightmare for Russian businesses — including major enterprises." This assessment underscores the adaptability and learning capacity of the group, transforming from amateurish experimentation to professional-grade cyber operations.

The strategic implications of Bearlyfy’s activities are multifaceted. Firstly, they demonstrate the growing role of non-state actors in geopolitical conflicts, blurring the lines between traditional warfare, state-sponsored cyber operations, and financially motivated cybercrime. Groups like Bearlyfy leverage ideological motivations to justify their actions, while simultaneously capitalizing on the lucrative nature of ransomware. Secondly, the deployment of custom ransomware like GenieLocker signifies a significant leap in technical capability, making the group more independent and harder to track and defend against. This trend among hacktivist groups to develop their own tools rather than relying solely on publicly available or stolen malware increases the complexity of the threat landscape.

Thirdly, the consistent targeting of Russian companies, coupled with the group’s pro-Ukrainian stance, clearly positions Bearlyfy’s actions within the broader cyber conflict surrounding the Russia-Ukraine war. These attacks serve not only as a means of financial gain but also as a form of digital protest and disruption, aiming to undermine the economic stability and operational capabilities of the adversary. The willingness of a significant portion of victims to pay ransoms further incentivizes such groups, perpetuating a cycle of attack and extortion. The psychological pressure exerted through custom ransom notes also suggests a calculated effort to maximize panic and compliance, exploiting the stress of a cyberattack for strategic advantage.

Mitigating the Threat: Recommendations for Russian Enterprises

Given the escalating threat posed by groups like Bearlyfy, Russian enterprises face an urgent need to bolster their cybersecurity defenses. Cybersecurity experts universally recommend a multi-layered approach to protection. Key recommendations include:

1. Robust Patch Management: Regularly updating and patching all external services and applications is paramount to close common exploitation vectors used for initial access.
2. Strong Authentication and Access Control: Implementing multi-factor authentication (MFA) across all systems and enforcing strict least privilege principles can prevent unauthorized access and lateral movement.
3. Endpoint Detection and Response (EDR) Solutions: Deploying advanced EDR solutions can help detect and respond to suspicious activities, including the deployment of remote access tools like MeshAgent and ransomware strains like GenieLocker, in real-time.
4. Data Backup and Recovery: Maintaining isolated, immutable backups of critical data is crucial for recovery without resorting to ransom payments. Regular testing of these backup and recovery procedures is essential.
5. Employee Training: Educating employees about phishing, social engineering, and other common attack vectors can significantly reduce the risk of initial compromise.
6. Network Segmentation: Segmenting networks can limit the spread of ransomware once an intrusion occurs, protecting critical assets from widespread encryption.
7. Incident Response Plan: Developing and regularly rehearsing a comprehensive incident response plan ensures a swift and effective reaction to a cyberattack, minimizing damage and downtime.
8. Threat Intelligence Sharing: Engaging with cybersecurity intelligence platforms and sharing threat indicators can help organizations stay ahead of evolving tactics, techniques, and procedures (TTPs) used by groups like Bearlyfy.

The Unfolding Cyber Conflict: A Persistent Threat

The activities of Bearlyfy are a stark reminder of the ongoing and evolving nature of cyber conflict in the modern geopolitical landscape. The group’s journey from rudimentary operations to the deployment of sophisticated custom ransomware within a short span of time highlights the dynamic threat environment faced by organizations operating in politically sensitive regions. As long as geopolitical tensions persist, the digital battleground will continue to be a significant arena for disruption, espionage, and financial warfare. The international cybersecurity community remains vigilant, monitoring the tactics of groups like Bearlyfy, as their evolution offers critical insights into the future trajectory of cyber threats and the complex interplay between profit and political motivation in the digital realm. The "veritable nightmare" for Russian businesses, as described by F6, is a testament to the significant and enduring impact of these hybrid cyber operations.