## Bearlyfy: From Script Kiddies to Ransomware Menace Emerging in January 2025, **Bearlyfy** initially targeted smaller Russian businesses, exhibiting limited skills and demanding modest ransoms. According to a report by Russian cybersecurity firm **F6**, the group has rapidly evolved, becoming a significant threat to larger Russian organizations. "Within a year this group has become a real nightmare for large Russian businesses," **F6** researchers stated, noting the surge in ransom demands to hundreds of thousands of dollars. The group's motives appear to be both financial and politically driven, aiming to inflict maximum damage while generating revenue. **F6** estimates that approximately one in five victims end up paying the ransom. ## GenieLocker: A Custom-Built Weapon Since early March, **Bearlyfy** has begun deploying its own custom Windows ransomware strain known as **GenieLocker**, indicating a new phase in their operations. Researchers believe the group developed **GenieLocker** in-house. Unlike typical ransomware operations, **Bearlyfy** doesn't always generate automated ransom notes. Instead, attackers sometimes craft personalized messages, ranging from concise instructions to taunting messages directed at the victim company. ## Leveraging Leaked Code and Collaboration Earlier attacks relied on existing ransomware tools derived from leaked code. For example, **Bearlyfy** frequently used **LockBit 3 Black**, created with a builder for the **LockBit** ransomware-as-a-service platform that leaked online in 2022. On Linux systems, the group deployed a modified version of the **Babuk** ransomware based on publicly leaked source code. **F6** has also observed collaboration between **Bearlyfy** and other, more experienced pro-Ukrainian groups, such as **Head Mare**, although the group has maintained its own distinct operational style. Western researchers have not extensively reported on **Bearlyfy**'s activity, likely due to limited visibility into Russian networks.