A pro-Ukraine hacking group known as Bearlyfy has carried out more than 70 cyberattacks targeting Russian companies, deploying a newly developed ransomware strain as part of an escalating campaign. The attacks, reported in March 2026, highlight the growing intersection of cybercrime and geopolitical conflict.
Bearlyfy, which first emerged in January 2025, initially focused on smaller Russian businesses with relatively low ransom demands. However, over time, the group has evolved significantly in both scale and sophistication, now targeting larger enterprises and demanding substantially higher payments. Researchers note that the group’s activities serve a dual purpose—generating financial gains while also inflicting disruption on Russian organizations.
A key development in the group’s operations is the introduction of a custom-built Windows ransomware known as GenieLocker. This marks a shift from earlier reliance on leaked or modified ransomware tools such as LockBit 3 (Black) and Babuk. The move toward proprietary malware indicates increased technical maturity and a more structured approach to cyber operations.
Security researchers have found that Bearlyfy’s attack methods often involve exploiting vulnerable external services and applications to gain initial access. Once inside a system, the attackers deploy remote access tools to enable data encryption, modification, or destruction. Unlike many ransomware groups, Bearlyfy sometimes creates ransom notes manually rather than relying on automated processes, adding a distinct element to its operations.
Further analysis has revealed overlaps between Bearlyfy and other pro-Ukraine hacking groups, including PhantomCore and Head Mare, suggesting possible collaboration or shared infrastructure. These connections point to a broader network of hacktivist and cybercriminal entities operating within the same geopolitical context.
Experts warn that the campaign reflects a broader trend in which cyberattacks are increasingly being used as tools of both economic extortion and political disruption. As groups like Bearlyfy continue to evolve, their activities are expected to pose growing risks to businesses and critical infrastructure, particularly in regions affected by ongoing geopolitical tensions.
