Bearlyfy hits Russian firms with custom GenieLocker ransomware

Introduction: A new front in the cyber war

Since its emergence in January 2025, a pro-Ukrainian threat group known as Bearlyfy has escalated its operations against Russian interests, culminating in a high-impact campaign leveraging a custom ransomware strain dubbed GenieLocker. Security researchers have attributed over 70 distinct cyber attacks to the group, also tracked as Labubu, marking a significant evolution from disruptive hacktivism to sophisticated, destructive cybercrime.

Bearlyfy operates with a clear ideological motive: to inflict maximum damage on the Russian economy and corporate infrastructure. The group’s recent adoption of ransomware signals a strategic shift, combining the financial disruption of data encryption with the potential for politically motivated data leaks. This analysis examines the technical underpinnings of GenieLocker, its impact on targeted organizations, and the defensive measures necessary to counter this evolving threat.

Technical analysis of the GenieLocker campaign

The success of the GenieLocker campaign hinges on a multi-stage attack chain that demonstrates the group's growing capabilities. Bearlyfy’s tactics, techniques, and procedures (TTPs) blend common attack vectors with custom tooling designed for evasion and widespread damage.

GenieLocker's operational mechanics

Once inside a network, Bearlyfy deploys GenieLocker, a custom Windows ransomware variant. Unlike purely financially motivated ransomware, GenieLocker is part of a campaign from a group described as “dual-purpose” and aimed at inflicting maximum damage upon Russian businesses. This suggests the attacks are designed for widespread disruption beyond simple data encryption.

After encryption, a ransom note is dropped in each affected directory. The note typically contains a politically charged message alongside instructions for contacting the attackers, usually through a secure messaging platform or a dark web portal.

Impact assessment

The Bearlyfy campaign has had a significant and direct impact on the Russian business sector. The targeting of over 70 companies across various industries—including manufacturing, logistics, and technology—suggests a strategy aimed at creating widespread economic disruption rather than targeting a single high-value entity.

For the affected organizations, the consequences are severe:

• Operational Downtime: The encryption of critical systems leads to an immediate halt in business operations, causing substantial financial losses for every hour of downtime.
• Data Loss and Extortion: With the dual threat of permanent data loss and public exposure of exfiltrated information, victims are placed in a difficult position. Even if backups are available, the threat of leaking sensitive corporate data, intellectual property, or customer information remains.
• Reputational Damage: Successful cyber attacks and subsequent data leaks erode trust among customers, partners, and investors, leading to long-term reputational harm.

The broader impact extends to the Russian economy, potentially disrupting supply chains and undermining confidence in the country's cybersecurity posture. This campaign highlights the vulnerability of enterprises in a heightened geopolitical conflict, where they become direct targets for ideologically motivated threat actors.

How to protect yourself

Defending against threats like GenieLocker requires a multi-layered security strategy focused on hardening defenses and preparing for incident response. Organizations should prioritize the following actions:

1. Aggressive Patch Management: Many ransomware campaigns rely on exploiting known vulnerabilities. Organizations must implement a strict patch management program to ensure all internet-facing systems, especially VPNs, web servers, and remote desktop services, are updated promptly.
2. Secure Remote Access: Enforce multi-factor authentication (MFA) on all remote access accounts without exception. Regularly audit accounts and permissions, adhering to the principle of least privilege. Consider using a reliable VPN service with a strong security track record to encrypt traffic and secure connections for remote workers.
3. Network Segmentation: Divide your network into smaller, isolated segments. This can contain a breach to one area, preventing an attacker from moving laterally to encrypt the entire network. Critical assets should be on the most protected segments.
4. Immutable Backups: Maintain a comprehensive backup strategy following the 3-2-1 rule (three copies of data, on two different media, with one copy off-site and offline). Immutable or air-gapped backups are essential as they cannot be altered or deleted by ransomware. Regularly test your data restoration process.
5. Endpoint Detection and Response (EDR): Deploy advanced EDR solutions that can detect and block malicious behaviors associated with ransomware, such as the rapid encryption of files or the deletion of shadow copies, rather than relying solely on signature-based antivirus.
6. Employee Security Training: Conduct regular training to help employees recognize and report phishing attempts. A vigilant workforce serves as a critical first line of defense against attacks that rely on social engineering.

The rise of politically motivated ransomware groups like Bearlyfy demonstrates that the line between hacktivism and advanced persistent threats is blurring. Their campaigns are not just about financial gain; they are a form of digital warfare aimed at causing chaos and damage. Proactive defense and resilience are the only effective counters to this destructive trend.