More than 70 cyber attacks on Russian businesses have been linked to a pro-Ukrainian group called Bearlyfy. Recent attacks used a custom Windows ransomware strain called GenieLocker. Early attacks focused on small businesses before moving on to bigger ones and demanding ransoms of €80,000 (about $92,100).
Russian security company F6 says that by August 2025, the group had killed at least 30 people. F6 said in a report on the group's attacks that "Bearlyfy (also known as Labubu) operates as a dual-purpose group aimed at inflicting maximum damage upon Russian businesses." The report said that the group is known for its quick attacks that require little planning and encrypt data quickly.
It said, "In just one year, this group has become a real nightmare for Russian businesses, even big ones." It is said that the enemy's first ransom demands have gone up even more, now reaching hundreds of thousands of dollars. According to F6 data, about 20% of victims choose to pay the ransom.
The company said that the most important change in the threat actor's behavior is that they have been using a proprietary ransomware family called GenieLocker to attack Windows endpoints since March 1, 2026. It has been known to attack businesses in Russia and Belarus since 2022. The report also said that there were some similarities between this group and another one that is thought to be working for Ukrainian interests.
