Pro-Ukraine Hacker Group Bearlyfy Targets Russian Companies with Custom Ransomware

A pro-Ukrainian hacktivist group operating under the name Bearlyfy has carried out more than 70 cyberattacks against Russian companies over the past year and is now escalating its campaign with a newly developed, purpose-built ransomware strain, according to security researchers tracking the group's operations. The campaign represents a notable evolution for hacktivist collectives in the Russia-Ukraine conflict, as the group transitions from deploying repurposed leaked ransomware tools to operating its own custom-developed malware.

Group Background and Evolution

Bearlyfy first emerged in early 2025 as a relatively low-profile hacktivist operation, initially targeting smaller Russian businesses with more opportunistic intrusions. The group has progressively professionalised its operations over the past 14 months.

Operational phases:

• Early 2025 (Emergence): Initial attacks leveraging publicly leaked ransomware builders including a modified version of LockBit 3 Black and adapted Babuk variants — tools freely available in cybercriminal forums and requiring minimal technical expertise to weaponise
• Mid-2025 (Escalation): Collaboration with the established pro-Ukraine group Head Mare, sharing access and tooling; attacks began incorporating psychologically crafted ransom notes designed to mock Russian corporate victims with references to the ongoing conflict
• Q1 2026 (Weaponisation): Debut of GenieLocker, a Windows ransomware strain developed entirely in-house, signalling a significant investment in capability development

GenieLocker: Custom-Built Ransomware

GenieLocker represents the most significant operational development for Bearlyfy to date. Unlike the group's earlier reliance on leaked RaaS builders — which carry the risk of detection by security vendors already familiar with the underlying code — GenieLocker is a purpose-built Windows ransomware executable that does not share code patterns with known commodity ransomware families.

Researchers have noted several characteristics of GenieLocker:

• Targets Windows environments, consistent with the profile of Russian SME and enterprise targets
• Implements file encryption using standard cryptographic routines, with encrypted extensions distinctive enough for attribution purposes
• Drops ransom notes containing explicit references to the Ukraine-Russia conflict and political messaging consistent with Bearlyfy's hacktivist motivation
• Does not appear to operate a data leak site for double-extortion purposes — the primary motive appears to be disruption and destruction rather than financial gain

This hacktivist-first, destruction-first approach differentiates Bearlyfy from financially motivated ransomware groups, which typically prioritise victims who are likely to pay.

Target Profile and Payment Rate

Over the 70+ documented attacks, Bearlyfy has targeted a range of Russian organisations including logistics firms, manufacturing companies, retail businesses, and professional services firms. The group does not appear to specialise in critical infrastructure, instead focusing on organisations where operational disruption will cause maximum economic pain.

Researchers estimate that approximately 1 in 5 victims have paid the demanded ransom — a rate consistent with hacktivist-affiliated ransomware operations where the primary goal is not ransom collection but rather operational disruption. Many victims likely have no intent to negotiate with a group openly aligned with a foreign government's adversary.

Context: Hacktivist Ransomware in the Russia-Ukraine Conflict

Bearlyfy operates in a crowded ecosystem of pro-Ukraine hacktivist groups that have targeted Russian organisations since the February 2022 invasion. Groups including IT Army of Ukraine, KillNet (historically pro-Russia), Head Mare, and numerous smaller collectives have conducted thousands of disruptive operations.

What distinguishes Bearlyfy is the investment in original ransomware development — a capability that historically required significant technical resources and was primarily the domain of professionally structured cybercriminal organisations. The emergence of hacktivist groups capable of in-house ransomware development suggests that the technical ceiling for these groups is rising, and that the distinction between hacktivism and cybercrime operations is continuing to blur.

Russian Cybersecurity Response

Russian organisations and critical infrastructure operators have faced persistent pressure to reduce reliance on Western security tools following sanctions imposed after 2022. This has created gaps in some organisations' security posture as they migrate away from established EDR and endpoint protection vendors, potentially making them more vulnerable to novel malware strains like GenieLocker that lack established detection signatures.

Defensive Recommendations

Russian organisations targeted by politically motivated cyber operations should ensure:

1. Offline and immutable backups are maintained and regularly tested for restoration — the primary defence against a ransomware operation motivated by disruption rather than extortion
2. Network segmentation to limit lateral movement from an initial intrusion to domain-wide ransomware deployment
3. Endpoint detection and response (EDR) with behavioural detection capable of identifying ransomware-like activity (mass file encryption, shadow copy deletion) independent of signature matches
4. Incident response planning that accounts for scenarios where the attacker's goal is destruction rather than negotiation

The development of GenieLocker suggests Bearlyfy intends to continue and expand its operations throughout 2026. Security teams monitoring the Russia-Ukraine cyber conflict should track the group's infrastructure and indicators of compromise.