From Amateur Nuisance to Corporate Scourge: Bearlyfy’s Ransomware War on Russia

In the shadowy world of cyber conflict, one name has rapidly evolved from minor irritant to major threat: Bearlyfy. What began as a fledgling pro-Ukrainian hacking collective targeting small Russian businesses has exploded into a sophisticated ransomware campaign, now shaking the foundations of Russia’s corporate sector with custom-built malware and a distinct political edge.

Bearlyfy’s digital offensive began quietly in early 2025, its operators launching modest attacks against small Russian enterprises. At first, their tactics were raw, leveraging off-the-shelf ransomware tools and demanding small sums. But according to Russian cybersecurity firm F6, the group’s rapid evolution has made it a “real nightmare” for larger corporations, both in scale and sophistication.

Financial gain is only part of Bearlyfy’s motivation. The group’s operations are laced with political symbolism - messages to victims sometimes taunt or ridicule Russian companies, and the choice of targets appears calculated to maximize disruption. This blend of activism and cybercrime is part of a wider trend of “hacktivist” groups aligning themselves with geopolitical causes.

Technically, Bearlyfy’s arsenal has grown more formidable. Early attacks relied on recycled malware - such as LockBit 3 Black and a Linux variant based on the leaked Babuk code - tools widely circulated among cybercriminals after high-profile leaks. But in March, the group unveiled GenieLocker, a custom Windows ransomware strain believed to be developed in-house. This marks a new phase: Bearlyfy is no longer just recycling the work of others, but actively innovating in the malware space.

Unlike automated ransomware campaigns, Bearlyfy sometimes crafts ransom notes by hand, varying from curt instructions to elaborate, mocking diatribes. This personal touch underscores their dual purpose: extortion and psychological warfare. F6’s data suggests that about one in five victims caves to the pressure and pays up - potentially netting the group significant revenues to fund future operations.

Bearlyfy’s trajectory is also marked by collaboration. The group has reportedly worked with more experienced pro-Ukrainian entities like Head Mare, sharing intelligence and occasionally tactics, while maintaining its own operational style. Yet, despite their growing impact, Western cyber researchers have largely missed Bearlyfy’s activities, possibly due to limited access to Russian networks.

As cyber warfare continues to blur the boundaries between activism, espionage, and organized crime, Bearlyfy’s evolution is a stark reminder: today’s digital skirmishes can rapidly escalate, with custom malware and political agendas turning the corporate world into a battlefield. Russian organizations - and their defenders - are now on notice: the era of amateur hacktivism is over, and the stakes are only getting higher.

WIKICROOK

• Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
• Leaked Source Code: Leaked source code is unauthorized exposure of software code, enabling cybercriminals to exploit vulnerabilities or develop new malware threats.
• Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
• Hacktivist: A hacktivist is an activist who uses hacking techniques to support political or social causes, often by leaking sensitive information or disrupting systems.
• Malware Builder: A malware builder is a tool that enables attackers to quickly generate custom malware, making it easier to launch diverse and sophisticated cyberattacks.