A pro-Ukraine hacking group has intensified its cyber operations against Russian businesses, deploying a newly developed ransomware strain to maximize disruption and financial gain. The group, known as Bearlyfy, has rapidly evolved into a serious threat actor since emerging in early 2025.
Rapid Rise of a Dual-Purpose Threat Actor
Since its appearance, Bearlyfy has been linked to over 70 cyberattacks targeting organizations across Russia. The group operates with two primary goals, financial extortion and strategic sabotage.
Security analysts note that Bearlyfy initially focused on smaller companies, gradually shifting toward larger enterprises while increasing ransom demands. Early attacks involved known ransomware families such as LockBit 3 and Babuk, with ransom amounts reaching tens of thousands of euros.
Expanding Arsenal and Partnerships
Over time, the group expanded its toolkit by leveraging a modified version of PolyVice. This ransomware ecosystem has previously delivered multiple strains, including Hello Kitty, Zeppelin, RedAlert, and Rhysida.
Investigations also revealed operational overlaps with PhantomCore, a group known for targeting Russian and Belarusian entities since 2022. Additionally, Bearlyfy has reportedly collaborated with Head Mare, further strengthening its attack capabilities.
Attack Methods and Execution
Bearlyfy typically gains initial access by exploiting vulnerable external services and applications. Once inside, attackers deploy tools like MeshAgent to establish remote control over compromised systems.
Unlike more sophisticated Advanced Persistent Threat operations, Bearlyfy focuses on speed. Their attacks are characterized by minimal preparation and rapid encryption of data, leaving victims little time to respond.
Another unusual trait is that ransom notes are not generated automatically by malware. Instead, attackers manually communicate with victims, often using psychological tactics to pressure them into paying.
Introduction of GenieLocker Ransomware
A major shift in Bearlyfy’s operations occurred in March 2026 with the introduction of GenieLocker, a proprietary ransomware designed specifically for Windows systems.
GenieLocker’s encryption mechanism is inspired by established ransomware families like Venus ransomware and Trinity ransomware, indicating a move toward more advanced and customized attack tools.
This transition marks a significant upgrade in the group’s technical capabilities and operational maturity.
Financial Impact and Victim Response
According to available data, approximately 20 percent of victims choose to pay the ransom. Over time, initial demands have surged dramatically, now reaching hundreds of thousands of dollars in some cases.
This demonstrates that Bearlyfy’s operations are not only disruptive but also financially successful, enabling the group to sustain and expand its activities.
Evolution into a Major Cyber Threat
Within just a year, Bearlyfy has transformed from a relatively inexperienced group into a highly effective cybercriminal organization. Its ability to adapt, collaborate, and develop custom malware has made it a significant concern for Russian businesses, including large enterprises.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
