Saturday 04 July 2026 16:38:20 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Ransomware & Extortion

Inside Bearlyfy: The Ukrainian Hackers Waging a Ransomware War on Russian Businesses

Published: 27 March 2026 11:36Category: Ransomware & ExtortionGeo: EuropeAuthor: TRUSTBREAKER

Subtitle: Pro-Ukrainian cybercriminals escalate attacks on Russian firms with their own GenieLocker ransomware, leaving devastation and fear in their wake.

It began as a whisper on dark web forums: a new group, Bearlyfy, targeting Russian companies with a vengeance. In just over a year, that whisper has become a roar. Russian businesses-from small enterprises to major players-now face a relentless, unpredictable adversary wielding custom ransomware and a taste for both chaos and cash. The result? A rising tide of encrypted data, shattered systems, and ransom demands that climb as high as the stakes in this digital conflict.

Bearlyfy, also known by the alias Labubu, emerged in early 2025 to become one of the most prolific pro-Ukrainian hacker groups on the Russian threat landscape. Unlike traditional ransomware gangs that focus solely on profit, Bearlyfy pursues a dual mission: draining financial resources from Russian businesses while inflicting maximum operational disruption-an unmistakable blend of extortion and sabotage.

The Russian cybersecurity firm F6 first tracked Bearlyfy’s activities in September 2025, noting their early use of well-known ransomware strains like LockBit 3 (Black) and Babuk. The group initially targeted smaller companies, but quickly scaled up their operations, with ransom notes demanding as much as €80,000 (about $92,100) and, more recently, even higher sums.

By mid-2025, Bearlyfy’s playbook expanded: they began deploying a modified version of PolyVice, a ransomware linked to the notorious Vice Society group. This marked a shift toward more sophisticated attacks, leveraging third-party malware families like Hello Kitty, Zeppelin, RedAlert, and Rhysida. Analysis has also revealed operational overlaps with other pro-Ukrainian groups, including PhantomCore and Head Mare, suggesting a loosely coordinated campaign against Russian and Belarusian targets.

What sets Bearlyfy apart is their attack methodology. They gain initial access by exploiting vulnerable external services or applications, then deploy remote access tools such as MeshAgent to encrypt, destroy, or alter data. Unlike the slow, stealthy style of groups like PhantomCore, Bearlyfy strikes fast and hard, prioritizing rapid encryption over lengthy reconnaissance. Notably, they break with ransomware tradition: instead of automated ransom notes, Bearlyfy crafts their own, often using psychological tactics to pressure victims into paying.

The most significant evolution yet came in March 2026. Bearlyfy unveiled a proprietary ransomware, GenieLocker, built for Windows systems and inspired by the encryption techniques of Venus and Trinity families. Now, the group controls every aspect of the attack, from infection to negotiation, and their ransom demands have escalated into the hundreds of thousands of dollars. F6’s data shows that despite the risks, around one in five victims capitulates to these demands-fueling further attacks in this ongoing cyber war.

Bearlyfy’s meteoric rise is a stark warning: the lines between hacktivism, cybercrime, and geopolitical conflict are blurring. As their tactics evolve and their ambitions grow, Russian businesses-and the wider cybersecurity world-must brace for a new era of digital warfare, where no sector is truly safe.

WIKICROOK

  • Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
  • Initial Access: Initial Access is the method or vulnerability attackers use to gain their first entry into a target’s network or system, starting a cyberattack.
  • Remote Access Tool: A Remote Access Tool lets users control computers over the internet-helpful for IT support, but also a target for cyber attackers.
  • Encryption Scheme: An encryption scheme is a method that scrambles data into unreadable code, ensuring only authorized users can access the original information.
  • APT (Advanced Persistent Threat): An Advanced Persistent Threat (APT) is a long-term, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.