Bearlyfy Deploys Custom GenieLocker Ransomware Against 70+ Russian Companies
What Happened – The pro‑Ukrainian threat group Bearlyfy (aka Labubu) has been linked to more than 70 ransomware incidents targeting Russian enterprises since its emergence in early 2025. The latest wave uses a bespoke Windows ransomware strain dubbed GenieLocker, which encrypts victim data and demands payment for decryption keys.
Why It Matters for TPRM –
- Ransomware attacks on third‑party vendors can cascade to downstream customers, disrupting supply‑chain operations.
- The use of a custom ransomware family indicates a high level of technical capability and intent to cause maximum operational impact.
- Geopolitical motivation raises the likelihood of targeted, persistent campaigns against specific industry verticals.
Who Is Affected – Russian‑based firms across multiple sectors (technology, manufacturing, services) that rely on third‑party software or managed services.
Recommended Actions –
- Review any contracts or data flows with Russian‑origin vendors to assess exposure.
- Verify that affected vendors have robust ransomware response plans, offline backups, and network segmentation.
- Increase monitoring for anomalous encryption activity and enforce multi‑factor authentication on privileged accounts.
Technical Notes – The attack vector has not been publicly disclosed; however, initial indicators point to phishing‑based credential compromise and exploitation of unpatched Windows systems. No specific CVEs have been cited. Data encrypted includes file systems, databases, and potentially backup repositories. Source: The Hacker News