Ethical Hacking News
In a significant escalation, Bearlyfy has leveraged a custom Windows ransomware strain called GenieLocker in its attacks on Russian companies, raising concerns about the sophistication of this pro-Ukrainian hacking group. As reported by F6, the group's activities have resulted in over 70 cyber attacks and have evolved from a lack of sophistication to a formidable threat for Russian businesses. Stay tuned for more updates on this emerging threat landscape.
Bearlyfy, a pro-Ukrainian hacking group, has been attributed to over 70 cyber attacks targeting Russian companies since its emergence in January 2025.The group's activities have escalated significantly, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker.Bearlyfy has collaborated with other groups like PhantomCore and Head Mare, adding depth to its modus operandi.The group uses a proprietary ransomware family called GenieLocker, inspired by Venus/Trinity ransomware families.Bearlyfy's attacks are characterized by rapid-fire execution, minimal preparation, and swift data encryption.The group relies on automatically generated ransom notes, deviating from traditional ransomware strategies.Bearlyfy's activities highlight the evolving landscape of cyber threats, emphasizing the importance of staying vigilant in response to emerging risks.
Bearlyfy, a pro-Ukrainian hacking group, has been attributed to over 70 cyber attacks targeting Russian companies since its emergence in the threat landscape in January 2025. The group's activities have escalated significantly, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker. This article delves into the details of Bearlyfy's modus operandi, its evolution over time, and the implications for Russian businesses.
In September 2025, F6, a Russian security vendor, first documented Bearlyfy as leveraging encryptors associated with LockBit 3 (Black) and Babuk. The group's early intrusions focused on smaller companies before upping the ante and demanding ransoms of €80,000 (approximately $92,100). By August 2025, Bearlyfy had claimed at least 30 victims.
Beginning May 2025, Bearlyfy actors utilized a modified version of PolyVice, a ransomware family attributed to Vice Society (aka DEV-0832 or Vanilla Tempest). This was a significant shift in the group's tactics, as it leveraged a previously known ransomware family. Further analysis of the threat actor's toolset and infrastructure revealed overlaps with PhantomCore, another group believed to be operating with Ukrainian interests in mind.
PhantomCore is known to attack Russian and Belarusian companies since 2022. Bearlyfy is also said to have collaborated with Head Mare, adding depth to its modus operandi. The group's attacks typically involve exploiting external services and vulnerable applications to gain initial access. Once inside, they drop tools like MeshAgent to facilitate remote access and enable encryption, destruction, or modification of data.
In contrast, PhantomCore conducts APT-style campaigns, focusing on reconnaissance, persistence, and data exfiltration. Bearlyfy's attacks, on the other hand, are characterized by rapid-fire execution with minimal preparation and swift data encryption. Another distinctive feature of these attacks is that ransom notes are not generated by the ransomware software itself but are instead crafted directly by the attackers.
Bearlyfy's use of a proprietary ransomware family called GenieLocker has been notable since its introduction in March 2026. This custom strain of Windows ransomware is inspired by Venus/Trinity ransomware families. The group's decision to use GenieLocker has further escalated their initial ransom demands, with some reports indicating that the initial ransom demands have reached hundreds of thousands of dollars.
One of the most striking aspects of Bearlyfy's modus operandi is its reliance on automatically generated ransom notes. This approach deviates from traditional ransomware strategies, where attackers typically rely on the ransomware software to generate messages for victims. Instead, Bearlyfy opts for their own methods, sharing contact details or elaborate messages that seek to exert psychological pressure and force victims into paying up.
F6 has noted that while in its early stages, Bearlyfy members demonstrated a lack of sophistication. However, within a single year, the group has evolved into a formidable threat for Russian businesses, including major enterprises. The group's rapid-fire attacks and minimal preparation have become hallmark characteristics, with F6 attributing this to a "veritable nightmare" for Russian companies.
Bearlyfy's activities highlight the evolving landscape of cyber threats and the importance of staying vigilant in response to emerging risks. As the threat actor continues to adapt and evolve, it is essential that organizations remain proactive in defending against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Bearlyfys-GenieLocker-Ransomware-A-Sophisticated-Threat-to-Russian-Businesses-ehn.shtml
https://thehackernews.com/2026/03/bearlyfy-hits-70-russian-firms-with.html
https://netcrook.com/bearlyfy-custom-ransomware-russia/
Published: Fri Mar 27 05:35:48 2026 by llama3.2 3B Q4_K_M
