Bearlyfy deploys custom GenieLocker ransomware as attacks on Russian firms pass 70

Bearlyfy, a pro-Ukraine hacking group also known as Labubu, has carried out more than 70 attacks against Russian companies since January 2025, according to Russian cybersecurity firm F6. The group’s latest shift matters because it now uses its own Windows ransomware, GenieLocker, instead of relying only on recycled lockers from other crews.

F6 says Bearlyfy blends cybercrime with sabotage. In its view, the group attacks Russian businesses both to make money and to cause damage. That dual role makes the crew stand out from ordinary ransomware groups that focus only on extortion.

The new malware marks a clear escalation. Since March 2026, F6 says Bearlyfy has used self-developed ransomware in its operations, with GenieLocker targeting Windows systems. The company says the malware’s encryption scheme and some of its technical ideas appear borrowed from the Venus and Trinity ransomware families.

From small targets to larger payouts

Bearlyfy did not start out as a top-tier operation. The Record, citing F6, says the group initially targeted smaller Russian businesses and showed limited skill in its early campaigns. Over time, though, the group became more dangerous and started demanding far larger sums.

F6 says initial ransom demands now reach hundreds of thousands of dollars. The firm also estimates that about one in five victims ends up paying. That payment rate helps explain why the group has kept growing and refining its playbook.

Earlier in its run, Bearlyfy used LockBit 3 Black, a modified Babuk strain, and later a lightly modified PolyVice variant linked to the Vice Society ecosystem. F6 says that changed in early March, when the group began bringing its own ransomware into attacks.

What makes GenieLocker notable

F6 says GenieLocker does not follow the usual ransomware pattern in every case. Instead of always generating ransom notes automatically, the attackers often deliver their own messages through other methods. Those notes can be short and practical, or longer and more taunting in tone.

That detail matters because it suggests the operators want tighter control over victim pressure. Manual note delivery also fits F6’s broader description of Bearlyfy as a fast-moving crew that combines crude disruption with improving technical skill.

F6 says the group has also worked with more experienced pro-Ukraine actors, including Head Mare, while maintaining its own style. The company adds that Bearlyfy’s development over the past year has turned it into what it calls a nightmare for Russian businesses, including large enterprises.

Bearlyfy at a glance

Why this campaign matters

Bearlyfy’s rise shows how quickly a mid-tier ransomware actor can mature when it keeps attacking in a conflict-driven environment. F6 says the group moved from rough experimentation to self-developed tooling in roughly a year. That pace makes the campaign worth watching even outside Russia.

The case also shows how blurry the line has become between politically aligned hacking and straight criminal extortion. The Record says F6 views Bearlyfy as pursuing both financial and political goals at once, which makes victimology and intent harder to predict.

At this stage, the strongest public sourcing still comes from F6’s own research and reporting based on it. I did not find a public government advisory or law enforcement statement on Bearlyfy matching the level of technical detail in F6’s March 25 release.

Key takeaways

• Bearlyfy has grown from a rough ransomware crew into a more capable operator in about one year.
• The group now uses custom Windows ransomware called GenieLocker.
• F6 says the crew mixes sabotage goals with extortion.
• Initial ransom demands now reach hundreds of thousands of dollars.
• Roughly one in five victims reportedly pays.

FAQ