{ "id": "bc49e963-6ee9-4bd1-a185-f1cd9cbd3c2a", "created_at": "2026-04-10T03:20:25.626295Z", "updated_at": "2026-04-10T03:22:17.124218Z", "deleted_at": null, "sha1_hash": "87c68df2b214237f7efbe1815ca59b8214226cac", "title": "Pro-Ukraine hacker group Bearlyfy targets Russian companies with custom ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75234, "plain_text": "Pro-Ukraine hacker group Bearlyfy targets Russian companies\r\nwith custom ransomware\r\nBy Daryna Antoniuk\r\nPublished: 2026-03-26 · Archived: 2026-04-10 02:12:46 UTC\r\nA pro-Ukrainian hacker group known as Bearlyfy has carried out more than 70 cyberattacks against Russian\r\ncompanies over the past year and is now escalating its campaign with newly developed ransomware tools,\r\nresearchers have found.\r\nBearlyfy first appeared in January 2025 and initially targeted smaller Russian businesses. In its early operations,\r\nthe attackers showed limited skills and demanded modest ransoms of only a few thousand dollars, according to a\r\nreport by the Russian cybersecurity firm F6.\r\n“Within a year this group has become a real nightmare for large Russian businesses,” researchers said, adding that\r\nthe group’s ransom demands in recent attacks have grown to hundreds of thousands of dollars.\r\nAccording to the researchers, the group’s primary goals are both financial and political. They appear to be causing\r\n“maximum damage” to Russian companies while also generating revenue through ransomware payments.\r\nF6 estimates that roughly one in five victims ultimately pays the ransom.\r\nThe group has recently begun deploying its own malware, marking a new stage in its operations. Since early\r\nMarch, Bearlyfy has used a custom-built Windows ransomware strain known as GenieLocker, which researchers\r\nbelieve was developed by the group itself.\r\nUnlike many ransomware operations, Bearlyfy’s malware does not always automatically generate ransom notes.\r\nInstead, attackers sometimes create their own messages manually, ranging from short instructions with contact\r\ndetails to longer messages mocking the victim company.\r\nEarlier Bearlyfy attacks relied heavily on existing ransomware tools derived from leaked code. For example,\r\nBearlyfy often used LockBit 3 Black, created with a builder for the LockBit ransomware-as-a-service platform\r\nthat leaked online in 2022. On Linux systems, the group deployed a modified version of the Babuk ransomware\r\nbased on publicly leaked source code.\r\nF6 has also observed collaboration between Bearlyfy and other, more experienced pro-Ukrainian groups, such as\r\nHead Mare, although the group has maintained its own distinct operational style, researchers said.\r\nWestern researchers have not reported on Bearlyfy’s activity, likely because many lack visibility into Russian\r\nnetworks.\r\nhttps://therecord.media/ransomware-ukraine-russia-bearlyfy\r\nPage 1 of 2\n\nNo previous article\r\nNo new articles\r\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/ransomware-ukraine-russia-bearlyfy\r\nhttps://therecord.media/ransomware-ukraine-russia-bearlyfy\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://therecord.media/ransomware-ukraine-russia-bearlyfy" ], "report_names": [ "ransomware-ukraine-russia-bearlyfy" ], "threat_actors": [], "ts_created_at": 1775791225, "ts_updated_at": 1775791337, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/87c68df2b214237f7efbe1815ca59b8214226cac.pdf", "text": "https://archive.orkl.eu/87c68df2b214237f7efbe1815ca59b8214226cac.txt", "img": "https://archive.orkl.eu/87c68df2b214237f7efbe1815ca59b8214226cac.jpg" } }