Bearlyfy and GenieLocker: How a Pro-Ukrainian Group Is Redefining Ransomware as Dual-Purpose Warfare

What Is Bearlyfy and Why Does This Group Matter?

Bearlyfy, tracked under the alternate name Labubu, is a pro-Ukrainian threat group that has been conducting ransomware operations against Russian businesses since at least January 2025. Russian cybersecurity vendor F6 first documented the group in September 2025, attributing more than 70 attacks to the collective by that point [1]. The campaign has continued into 2026 with no signs of slowing.​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​‌‌​​‌‌​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​

‌​​‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

What makes Bearlyfy noteworthy is not just volume but motivation. Traditional ransomware groups operate almost exclusively for profit. Hacktivist groups typically aim to disrupt or embarrass targets without seeking payment. Bearlyfy occupies both lanes simultaneously: extracting ransoms for financial gain while deliberately targeting Russian businesses as an act of wartime sabotage [1][2]. This dual-purpose model collapses the conventional distinction between cybercrime and cyber warfare, creating a template that other ideologically motivated groups may adopt.

What Is GenieLocker and How Does It Work?

GenieLocker is Bearlyfy's custom-built Windows ransomware, developed to replace the group's earlier reliance on leaked and modified tools. Before GenieLocker, the group deployed LockBit 3 (also known as LockBit Black), Babuk encryptors, and a modified version of PolyVice -- all tools that originated from other ransomware operations and were either leaked or shared in underground forums [1][3].​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​‌‌​​‌‌​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The shift to custom malware is significant. Leaked ransomware builders like LockBit Black are widely available, which means security vendors have extensive detection signatures for them [4]. By developing GenieLocker, Bearlyfy gains several advantages: reduced detection rates, control over the encryption implementation, and the ability to tailor the ransomware to specific operational needs without depending on external code that could contain backdoors or tracking mechanisms.

Details on GenieLocker's encryption scheme have not been fully published, but F6's analysis indicates it targets Windows environments and follows the standard ransomware playbook of file encryption followed by ransom note deployment [1]. The ransom demands themselves are relatively modest -- up to 80,000 EUR, or approximately $92,100 -- which suggests a volume strategy rather than the high-value, single-target approach used by groups like Cl0p or BlackCat [5].

How Does the Dual-Purpose Model Change the Threat Landscape?

The convergence of hacktivism and ransomware is not entirely new, but Bearlyfy operationalizes it at a scale worth examining. When a ransomware group is motivated purely by profit, there is a predictable negotiation logic: they want payment, the victim wants data back, and both sides have an incentive to reach an agreement. When sabotage is an equal or greater motivation, that logic breaks down. An attacker who is satisfied by disruption alone may not provide working decryption keys, may leak stolen data regardless of payment, or may target organizations with no ability to pay simply to cause operational damage [6].

For businesses caught in geopolitical crossfire, this changes the risk calculus. Paying a ransom to a dual-purpose group offers no guarantee of recovery because data destruction may be the point. According to Chainalysis, ransomware payments declined 35% year-over-year in 2024 as more organizations invested in resilience rather than ransom budgets [7]. The rise of sabotage-motivated ransomware makes that investment in resilience even more critical.

The pattern extends beyond the Russia-Ukraine conflict. Any region experiencing geopolitical tension could see similar groups emerge. The tools are accessible -- LockBit, Babuk, and Conti source code are all publicly available -- and the operational model has been demonstrated. Businesses operating in or adjacent to conflict zones should treat dual-purpose ransomware as a planning assumption, not an edge case.

What Defenses Work Against Groups Like Bearlyfy?

Defending against Bearlyfy and similar groups uses the same foundational controls that protect against any ransomware operation, with additional emphasis on resilience over recovery.

Offline backups remain the single most effective defense against ransomware encryption. The 3-2-1 backup rule -- three copies, two different media types, one offsite -- ensures that even a complete encryption event does not result in permanent data loss [8]. Testing backup restoration regularly is equally important; a backup that cannot be restored under pressure is not a backup.

Endpoint detection and response (EDR) solutions with behavioral analysis capabilities are essential for catching custom malware like GenieLocker that may not yet have signature-based detections. According to MITRE's 2025 ATT&CK Evaluations, top-tier EDR solutions detected 92% of ransomware behaviors even when the specific malware variant was previously unseen [9].

Network segmentation limits lateral movement after initial compromise. Bearlyfy's operational pattern suggests they gain initial access through common vectors -- phishing, exposed remote services, or credential reuse -- before deploying ransomware across accessible systems [1]. Segmenting critical assets into isolated network zones forces attackers to overcome additional barriers at each step.

Identity and access management deserves particular attention. Enforcing multi-factor authentication (MFA) across all remote access points and privileged accounts closes one of the most reliable entry points for ransomware operators. Microsoft's 2025 Digital Defense Report found that MFA blocks 99.2% of account compromise attempts [10].

Finally, incident response planning should explicitly account for scenarios where the attacker has no intention of providing a working decryptor. Tabletop exercises that simulate a sabotage-motivated attack -- where paying the ransom is not a viable option -- force organizations to test whether their recovery capabilities are truly independent of attacker cooperation.

How Should Businesses Think About Geopolitical Cyber Risk?

Bearlyfy illustrates that cyber risk and geopolitical risk are no longer separate categories. Supply chains, business partnerships, and even customer bases that intersect with conflict zones create exposure pathways that traditional vulnerability scanning does not capture.

Building resilience against these threats is not about predicting which group will emerge next. It is about ensuring that your organization can absorb an attack, maintain critical operations, and recover on your own terms. That resilience -- tested backups, segmented networks, strong identity controls, and practiced incident response -- protects against profit-motivated criminals and ideologically driven saboteurs equally.

The organizations that weather these storms are the ones that invested in continuity before the storm arrived.

FAQ

References

[1] F6, "Bearlyfy (Labubu): Pro-Ukrainian Ransomware Group Targeting Russian Companies," F6 Threat Intelligence Report, Sep. 2025. [Online]. Available: https://www.f6.com/research/bearlyfy-labubu-ransomware-russia

[2] The Record by Recorded Future, "Pro-Ukrainian group Bearlyfy linked to 70+ ransomware attacks on Russian firms," The Record, Mar. 27, 2026. [Online]. Available: https://therecord.media/bearlyfy-genielocker-ransomware-russia-2026

[3] Trend Micro, "LockBit 3.0 Builder Leak: Impact on the Ransomware Ecosystem," Trend Micro Research, 2023. [Online]. Available: https://www.trendmicro.com/en_us/research/23/lockbit-builder-leak.html

[4] Sophos, "The State of Ransomware 2025," Sophos Whitepaper, 2025. [Online]. Available: https://www.sophos.com/en-us/content/state-of-ransomware

[5] Coveware, "Quarterly Ransomware Report Q1 2026," Coveware by Veeam, 2026. [Online]. Available: https://www.coveware.com/blog/q1-2026-ransomware-report

[6] CISA, "Stop Ransomware Guide," Cybersecurity and Infrastructure Security Agency, Updated 2025. [Online]. Available: https://www.cisa.gov/stopransomware

[7] Chainalysis, "2025 Crypto Crime Report: Ransomware," Chainalysis Inc., Feb. 2025. [Online]. Available: https://www.chainalysis.com/blog/ransomware-2025/

[8] NIST, "Cybersecurity Framework 2.0," National Institute of Standards and Technology, 2024. [Online]. Available: https://www.nist.gov/cyberframework

[9] MITRE, "ATT&CK Evaluations Enterprise 2025," MITRE Corporation, 2025. [Online]. Available: https://attackevals.mitre-engenuity.org/enterprise/2025

[10] Microsoft, "Microsoft Digital Defense Report 2025," Microsoft Corporation, Oct. 2025. [Online]. Available: https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025

---

Want to stress-test your ransomware resilience before an attacker does? Book a consultation to protect what you have built.