Malware - Bearlyfy Targets 70+ Russian Firms with Ransomware

What Happened

Bearlyfy, a pro-Ukrainian hacking group, has been making headlines since January 2025. This group has executed more than 70 cyber attacks against Russian companies, employing a custom ransomware known as GenieLocker. The group aims to inflict maximum damage, blending financial extortion with acts of sabotage. Their recent activities have escalated, with ransom demands reaching as high as €80,000 (approximately $92,100).

Initially documented by Russian security vendor F6 in September 2025, Bearlyfy has evolved from targeting smaller firms to major enterprises. Their tactics have shifted towards using a proprietary ransomware family, GenieLocker, which began targeting Windows endpoints in March 2026. This evolution highlights the group's increasing sophistication and ambition.

Who's Being Targeted

Bearlyfy's targets primarily include Russian businesses, which have become the focus of their cyber warfare. The group has been particularly aggressive, using rapid-fire attacks that require minimal preparation. This approach allows them to quickly encrypt data and demand ransoms without generating automated ransom notes. Instead, they communicate directly with victims, applying psychological pressure to encourage payment.

The group’s operations suggest a strategic approach to inflicting economic harm on Russian companies, aligning with their pro-Ukrainian stance. As they gain notoriety, the potential for further attacks increases, raising alarms among cybersecurity experts.

Signs of Infection

Victims of Bearlyfy's attacks often experience sudden data encryption and ransom demands. The GenieLocker ransomware is designed to encrypt files on infected Windows systems, rendering them inaccessible. Early signs of infection may include:

• Unusual system slowdowns
• Inability to access certain files or folders
• Notifications or messages demanding ransom payments

Organizations should be vigilant, as the group exploits vulnerable applications and external services to gain initial access. The use of tools like MeshAgent for remote access further complicates detection and response efforts.

How to Protect Yourself

To safeguard against Bearlyfy and similar ransomware threats, organizations should adopt a multi-layered security strategy. Here are some recommended actions:

• Regularly update software to patch vulnerabilities.
• Implement robust backup solutions to ensure data recovery without paying ransoms.
• Educate employees about phishing and other social engineering tactics.
• Monitor network traffic for unusual activity that could indicate a breach.

By taking proactive measures, businesses can enhance their resilience against ransomware attacks and reduce the likelihood of falling victim to groups like Bearlyfy. As the threat landscape evolves, staying informed and prepared is essential for effective cybersecurity.