Bearlyfy has been attributed to over 70 cyber attacks targeting Russian companies since its emergence in January 2025, employing a custom Windows ransomware strain known as GenieLocker. The group operates with dual objectives of extortion and sabotage, utilizing a modified version of PolyVice and leveraging vulnerabilities in external services and applications for initial access. Analysis reveals overlaps with PhantomCore, indicating a pro-Ukrainian interest, while Bearlyfy's attacks are characterized by minimal preparation and a focus on immediate impact through data encryption and destruction. Approximately 20% of victims reportedly pay the ransom, with demands escalating to hundreds of thousands of dollars.
Also known as
Labubu.
References
Actor metadata imported from Malpedia (Fraunhofer FKIE).