Pro-Ukraine Group Bearlyfy Deploys Custom GenieLocker Ransomware

A pro-Ukrainian threat group called Bearlyfy has been attributed to more than 70 cyberattacks against Russian businesses since emerging in January 2025. The group recently shifted to deploying a custom ransomware strain called GenieLocker, marking an evolution from its earlier reliance on leaked ransomware builders.

Who Is Bearlyfy

Bearlyfy (also tracked as Labuib) operates as a dual-purpose group pursuing both financial gain and political sabotage. According to research from F6, a Russian cybersecurity firm, approximately one in five victims pay the demanded ransom—a relatively high success rate that has encouraged escalation.

The group's early operations targeted smaller Russian businesses with modest demands in the thousands of dollars. By March 2026, Bearlyfy had pivoted to larger enterprises with ransoms reaching hundreds of thousands of dollars. This trajectory mirrors the maturation pattern seen in other ransomware operations, though Bearlyfy's ideological motivations distinguish it from purely profit-driven groups.

Researchers have identified collaboration between Bearlyfy and established pro-Ukrainian threat actors including Head Mare and PhantomCore, suggesting shared infrastructure or operational coordination within Ukraine-aligned hacking circles.

GenieLocker: A Custom Tool

Since early March 2026, Bearlyfy has deployed GenieLocker, a Windows ransomware strain built in-house rather than derived from leaked source code. The malware's encryption scheme draws inspiration from the Venus and Trinity ransomware families, though the implementation appears original.

One distinctive characteristic: GenieLocker doesn't automatically generate ransom notes. Instead, operators craft messages manually after encryption completes. Some notes contain straightforward payment instructions with contact details. Others mock the victim company directly—a psychological tactic that reinforces the political dimension of these attacks.

Before developing GenieLocker, Bearlyfy relied heavily on publicly available tools:

• LockBit 3 (Black) encryptors built from the 2022 leaked builder
• Modified Babuk ransomware for Linux systems, based on source code leaked in 2021
• PolyVice, a Vice Society variant deployed since May 2025
• Various third-party lockers including Hello Kitty, Zeppelin, RedAlert, and Rhysida

The shift to proprietary tooling suggests growing technical capability and a desire to avoid detection signatures associated with known ransomware families.

Attack Patterns

Bearlyfy gains initial access primarily through exploitation of external-facing applications and services. Post-compromise activity focuses on rapid encryption, data destruction, and modification rather than the extended reconnaissance typical of nation-state APT operations.

The group uses MeshAgent for remote access facilitation, enabling persistent control over compromised networks. Unlike ransomware-as-a-service operations that maintain standardized playbooks, Bearlyfy's approach appears more opportunistic—taking what access is available and moving quickly to impact.

Why Western Visibility Is Limited

Most reporting on Bearlyfy comes from Russian cybersecurity firms. Western researchers have limited visibility into Russian corporate networks, which explains why a group with 70+ claimed victims hasn't received significant coverage in English-language threat intelligence.

This information asymmetry matters. Organizations tracking the Russia-Ukraine conflict's cyber dimension often focus on Russian actors targeting Ukrainian and Western infrastructure. Attacks flowing in the opposite direction—Ukrainian-aligned groups targeting Russian businesses—receive less attention despite representing a significant and growing threat category.

For context on how ransomware operations evolve and defend against them, see our ransomware defense guide. The Yanluowang ransomware broker case we covered recently illustrates how ransomware ecosystems operate across borders, though Bearlyfy's political motivations create a different operational dynamic than purely criminal operations.

Implications for the Broader Landscape

Bearlyfy demonstrates that ransomware isn't exclusively a criminal enterprise. Politically motivated groups can adopt the same tools and techniques, blurring the line between hacktivism and cybercrime. The group's willingness to reinvest ransom payments into developing custom malware suggests a sustainable operation rather than a short-term campaign.

For organizations monitoring geopolitical cyber threats, Bearlyfy represents an escalation pattern worth watching. Groups that start with leaked tools and modest targets frequently mature into more capable operations—and Bearlyfy's trajectory over the past 14 months follows exactly that arc.

The group's victims are exclusively Russian, limiting direct risk to Western organizations. But the techniques, infrastructure, and operational models developed in this conflict will likely proliferate. Custom ransomware strains have a way of appearing in unexpected contexts once their effectiveness is proven.

For more on threat actor tracking and the evolving ransomware ecosystem, visit our ransomware news coverage.