Security News Bearlyfy Hits 70+ Russian Firms with Custom GenieLocker Ransomware

[Divergent]

Content source

https://thehackernews.com/2026/03/bearlyfy-hits-70-russian-firms-with.html

A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat landscape in January 2025, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker.

"Bearlyfy (also known as Labubu) operates as a dual-purpose group aimed at inflicting maximum damage upon Russian businesses; its attacks serve the dual objectives of extortion for financial gain and acts of sabotage," Russian security vendor F6 said.

Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware

Bearlyfy launched 70+ attacks since 2025 using GenieLocker ransomware, targeting Russian firms, driving high ransom payments.

thehackernews.com

 

[Divergent]

Executive Summary

Confirmed Facts
The pro-Ukrainian threat actor "Bearlyfy (also known as Labubu)" has conducted over 70 attacks against Russian enterprises since January 2025, utilizing external service vulnerabilities to gain initial access and deploying MeshAgent for remote control. As of March 2026, the group has shifted from using leaked lockers (LockBit, Babuk) to deploying a custom Windows ransomware strain codenamed "GenieLocker".

Assessment
Bearlyfy operates with dual objectives of financial extortion and sheer sabotage. The absence of specific exploit telemetry indicates they likely conduct opportunistic scanning of unpatched public-facing infrastructure rather than relying on sophisticated zero-day chains.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1190
Exploit Public-Facing Application: Initial access via vulnerable external services.

T1219
Remote Access Software: Deployment of MeshAgent to maintain persistence and control.

T1486
Data Encrypted for Impact: Execution of GenieLocker, PolyVice, or other lockers.

CVE Profile
[NVD Score: Unknown]
[CISA KEV Status: Inactive/Unspecified].
The source telemetry does not specify which vulnerabilities are being exploited, defaulting to generalized perimeter weaknesses.

Constraint
The structure resembles standard RaaS operations, but the GenieLocker payload suggests an encryption scheme derived from Venus/Trinity ransomware logic. Notably, ransom notes are delivered manually by the attackers rather than being automatically dropped by the encryptor binary.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Establish incident response playbooks specifically accounting for dual-purpose extortion and sabotage events, as decryption may not be guaranteed even if a ransom is paid.

DETECT (DE) – Monitoring & Analysis

Command
Query EDR and SIEM platforms for the unauthorized presence of MeshAgent.exe or associated remote management artifacts. Monitor for anomalous outbound traffic from DMZ servers.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected Windows endpoints immediately upon detecting Venus/Trinity-style file encryption patterns. Do not reboot, to preserve volatile memory for forensics.

RECOVER (RC) – Restoration & Trust

Command
Validate the integrity of offline, immutable backups prior to a phased restoration.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Audit and patch all public-facing applications and external services. Enforce strictly configured Multi-Factor Authentication (MFA) on all remote access gateways (VPN, RDP, Citrix).

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Threat level is Theoretical/Low. The primary delivery vector relies on targeting "external services and vulnerable applications," which are not exposed in a default Windows Home installation behind a standard NAT router.

Priority 2: Identity

Command
Maintain standard credential hygiene. Do not log into banking/email if you suspect unauthorized remote access software has been installed. Reset passwords/MFA using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Audit installed applications and Startup Folders for unauthorized remote management tools, specifically looking for "MeshAgent."

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 and Windows Server (Emphasis on External Attack Surface Management and Least Privilege).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Habr

The Hacker News