Pro‑Ukraine Hacker Group Bearlyfy Deploys Custom GenieLocker Ransomware Against Russian Companies
What Happened – Over the past year Bearlyfy, a pro‑Ukrainian threat actor, has carried out more than 70 ransomware attacks on Russian enterprises, recently shifting to a self‑developed Windows ransomware strain called GenieLocker. Ransom demands have risen from a few thousand dollars to hundreds of thousands, with an estimated 20 % of victims paying.
Why It Matters for TPRM –
- The campaign blends financial extortion with geopolitical motives, increasing the likelihood of targeted attacks on supply‑chain partners.
- Use of custom malware reduces reliance on known ransomware‑as‑a‑service kits, making detection harder for standard security controls.
- Collaboration with other pro‑Ukrainian groups suggests a broader ecosystem that could pivot to additional third‑party vendors.
Who Is Affected – Primarily Russian corporations of all sizes, including large enterprises in manufacturing, energy, finance, and logistics.
Recommended Actions –
- Review any Russian‑origin vendors or partners for exposure to Bearlyfy activity.
- Verify that endpoint detection and response (EDR) solutions can detect unknown ransomware families.
- Ensure robust backup and recovery procedures are in place and regularly tested.
Technical Notes – Attack vector: deployment of a custom Windows ransomware (GenieLocker) via malicious email attachments and compromised remote‑desktop services. Earlier operations leveraged leaked LockBit 3 Black and Babuk code, indicating a progression from off‑the‑shelf tools to bespoke malware. No specific CVEs were cited. Data encrypted includes critical business files; ransom notes are sometimes manually crafted. Source: The Record