Bearlyfy, also known as Labubu, is a pro-Ukrainian threat group that emerged in early 2025. It is ideologically motivated to conduct cyber attacks against Russian companies to cause economic and operational damage. The group has evolved from simple hacktivism to deploying sophisticated, custom-built ransomware.

What makes GenieLocker ransomware different from other strains?

GenieLocker is considered a 'dual-purpose' ransomware. Unlike most ransomware that is purely for financial extortion, GenieLocker also exfiltrates large amounts of sensitive data before encryption. This allows the attackers to threaten victims with public data leaks, aligning with their politically motivated goal of causing maximum damage and public embarrassment, not just collecting a ransom.

Are companies outside of Russia at risk from Bearlyfy?

Currently, Bearlyfy's targeting appears to be exclusively focused on Russian entities. However, the tools and techniques they use could be copied by other groups with different motivations. Furthermore, cyber attacks in a conflict zone can sometimes have unintended spillover effects, potentially impacting multinational corporations with operations in the region or shared service providers.

Should a victim of GenieLocker pay the ransom?

Paying the ransom is highly discouraged by cybersecurity experts and law enforcement agencies. With politically motivated groups like Bearlyfy, there is no guarantee that a decryption key will be provided. The primary goal is disruption, not business. Paying a ransom may also fund further malicious activities and does not solve the threat of the exfiltrated data being leaked.

Bearlyfy hits Russian firms with custom GenieLocker ransomware

Introduction: A new front in the cyber war

Since its emergence in January 2025, a pro-Ukrainian threat group known as Bearlyfy has escalated its operations against Russian interests, culminating in a high-impact campaign leveraging a custom ransomware strain dubbed GenieLocker. Security researchers have attributed over 70 distinct cyber attacks to the group, also tracked as Labubu, marking a significant evolution from disruptive hacktivism to sophisticated, destructive cybercrime.

Bearlyfy operates with a clear ideological motive: to inflict maximum damage on the Russian economy and corporate infrastructure. The group’s recent adoption of ransomware signals a strategic shift, combining the financial disruption of data encryption with the potential for politically motivated data leaks. This analysis examines the technical underpinnings of GenieLocker, its impact on targeted organizations, and the defensive measures necessary to counter this evolving threat.

Technical analysis of the GenieLocker campaign

The success of the GenieLocker campaign hinges on a multi-stage attack chain that demonstrates the group's growing capabilities. Bearlyfy’s tactics, techniques, and procedures (TTPs) blend common attack vectors with custom tooling designed for evasion and widespread damage.

Initial access vectors

Analysis of the attacks indicates that Bearlyfy gains initial entry through several well-established methods. The primary vectors include:

Exploitation of Public-Facing Applications: The group actively scans for and exploits unpatched vulnerabilities in internet-facing infrastructure. Commonly targeted flaws include those in VPN gateways and remote access solutions, which have become frequent targets for ransomware operators worldwide.
Credential Compromise: Bearlyfy leverages stolen credentials acquired from dark web marketplaces or through successful phishing campaigns. Spear-phishing emails tailored to employees of Russian companies are used to trick victims into revealing their login details or executing malicious attachments.
Supply Chain Attacks: In some instances, the group is believed to have compromised trusted third-party software vendors used by their ultimate targets, using software updates as a delivery mechanism for their initial payload.

GenieLocker's operational mechanics

Once inside a network, Bearlyfy deploys GenieLocker, a custom Windows ransomware variant designed for both destruction and leverage. Unlike purely financially motivated ransomware, GenieLocker is described as a “dual-purpose” tool. Before initiating the encryption process, associated modules exfiltrate large volumes of sensitive data to actor-controlled servers. This tactic serves two purposes: it provides material for future data leaks to publicly shame victims and adds pressure on them beyond simple operational disruption.

The ransomware itself exhibits several destructive features:

Strong Encryption: GenieLocker uses a hybrid encryption scheme, employing AES-256 to encrypt individual files and an RSA-2048 key to protect the AES key. This makes recovery without the attackers' private key computationally infeasible. Encrypted files are often appended with a unique extension, such as .genie.
Anti-Recovery Measures: To prevent restoration, the malware executes commands to delete Volume Shadow Copies (VSS), effectively wiping out Windows' built-in file recovery snapshots. It also attempts to identify and terminate backup software processes and other security tools.
Lateral Movement: After compromising an initial endpoint, the attackers use post-exploitation tools like PsExec and exploit internal network protocols to move laterally across the network. This allows them to deploy GenieLocker to critical servers, including domain controllers and file servers, to maximize the scope of the encryption.
Persistence: The malware establishes persistence through methods like creating scheduled tasks or modifying registry run keys, ensuring it can re-execute if a compromised machine is rebooted before the full encryption routine is complete.

After encryption, a ransom note is dropped in each affected directory. The note typically contains a politically charged message alongside instructions for contacting the attackers, usually through a secure messaging platform or a dark web portal.

Impact assessment

The Bearlyfy campaign has had a significant and direct impact on the Russian business sector. The targeting of over 70 companies across various industries—including manufacturing, logistics, and technology—suggests a strategy aimed at creating widespread economic disruption rather than targeting a single high-value entity.

For the affected organizations, the consequences are severe:

Operational Downtime: The encryption of critical systems leads to an immediate halt in business operations, causing substantial financial losses for every hour of downtime.
Data Loss and Extortion: With the dual threat of permanent data loss and public exposure of exfiltrated information, victims are placed in a difficult position. Even if backups are available, the threat of leaking sensitive corporate data, intellectual property, or customer information remains.
Reputational Damage: Successful cyber attacks and subsequent data leaks erode trust among customers, partners, and investors, leading to long-term reputational harm.

The broader impact extends to the Russian economy, potentially disrupting supply chains and undermining confidence in the country's cybersecurity posture. This campaign highlights the vulnerability of enterprises in a heightened geopolitical conflict, where they become direct targets for ideologically motivated threat actors.

How to protect yourself

Defending against threats like GenieLocker requires a multi-layered security strategy focused on hardening defenses and preparing for incident response. Organizations should prioritize the following actions:

Aggressive Patch Management: Bearlyfy's reliance on exploiting known vulnerabilities is its greatest weakness. Organizations must implement a strict patch management program to ensure all internet-facing systems, especially VPNs, web servers, and remote desktop services, are updated promptly.
Secure Remote Access: Enforce multi-factor authentication (MFA) on all remote access accounts without exception. Regularly audit accounts and permissions, adhering to the principle of least privilege. Consider using a reliable VPN service with a strong security track record to encrypt traffic and secure connections for remote workers.
Network Segmentation: Divide your network into smaller, isolated segments. This can contain a breach to one area, preventing an attacker from moving laterally to encrypt the entire network. Critical assets should be on the most protected segments.
Immutable Backups: Maintain a comprehensive backup strategy following the 3-2-1 rule (three copies of data, on two different media, with one copy off-site and offline). Immutable or air-gapped backups are essential as they cannot be altered or deleted by ransomware. Regularly test your data restoration process.
Endpoint Detection and Response (EDR): Deploy advanced EDR solutions that can detect and block malicious behaviors associated with ransomware, such as the rapid encryption of files or the deletion of shadow copies, rather than relying solely on signature-based antivirus.
Employee Security Training: Conduct regular training to help employees recognize and report phishing attempts. A vigilant workforce serves as a critical first line of defense against attacks that rely on social engineering.

The rise of politically motivated ransomware groups like Bearlyfy demonstrates that the line between hacktivism and advanced persistent threats is blurring. Their campaigns are not just about financial gain; they are a form of digital warfare aimed at causing chaos and damage. Proactive defense and resilience are the only effective counters to this destructive trend.