Executive Summary
In early 2025, the pro-Ukrainian cyber group Bearlyfy initiated a series of over 70 ransomware attacks targeting Russian companies. Employing custom strains like GenieLocker, Bearlyfy exploited vulnerabilities in public-facing applications to gain initial access, subsequently encrypting critical data and demanding ransoms. The group's operations have caused significant disruptions across various sectors in Russia.
This incident underscores a growing trend of politically motivated cyberattacks, where hacktivist groups leverage ransomware to inflict economic damage. The Bearlyfy attacks highlight the evolving landscape of cyber threats, emphasizing the need for robust security measures to protect against both financially and ideologically driven adversaries.
Why This Matters Now
The Bearlyfy attacks highlight the evolving landscape of cyber threats, emphasizing the need for robust security measures to protect against both financially and ideologically driven adversaries.
Attack Path Analysis
Bearlyfy initiated attacks on Russian firms by exploiting vulnerabilities in public-facing services to gain initial access. They escalated privileges by exploiting misconfigured IAM roles, enabling broader access within the cloud environment. Utilizing compromised credentials, they moved laterally across cloud resources to identify and access critical data. Establishing command and control channels, they maintained persistent access and coordinated their activities. They exfiltrated sensitive data to external servers before deploying GenieLocker ransomware to encrypt files. The attacks culminated in significant operational disruption and financial demands through ransom notes.
Kill Chain Progression
Initial Compromise
Description
Bearlyfy exploited vulnerabilities in public-facing services to gain unauthorized access to cloud environments.
MITRE ATT&CK® Techniques
Data Encrypted for Impact
Valid Accounts
Phishing
Inhibit System Recovery
Service Stop
Data Destruction
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Russian energy firms face GenieLocker ransomware attacks targeting critical infrastructure with potential for lateral movement through unencrypted east-west traffic and egress data exfiltration.
Banking/Mortgage
Russian financial institutions vulnerable to Bearlyfy's custom ransomware campaigns exploiting weak zero trust segmentation and inadequate multicloud visibility for command and control operations.
Government Administration
Russian government entities at high risk from pro-Ukrainian Bearlyfy group's targeted ransomware attacks leveraging poor egress security and threat detection capabilities for maximum damage.
Telecommunications
Russian telecom infrastructure exposed to GenieLocker ransomware through compromised hybrid connectivity and inadequate Kubernetes security enabling privilege escalation and network compromise.
Sources
- Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomwarehttps://thehackernews.com/2026/03/bearlyfy-hits-70-russian-firms-with.htmlVerified
- New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattackshttps://thehackernews.com/2025/09/new-coldriver-malware-campaign-joins-bo.htmlVerified
- APT and financial attacks on industrial organizations in Q4 2025https://ics-cert.kaspersky.com/publications/reports/2026/03/06/apt-and-financial-attacks-on-industrial-organizations-in-q4-2025/Verified
- APT and financial attacks on industrial organizations in Q3 2025https://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access could have been constrained, reducing the likelihood of unauthorized entry into the cloud environment.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of unauthorized access within the cloud environment.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement could have been constrained, reducing the likelihood of accessing critical data across cloud resources.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels could have been limited, reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been constrained, reducing the likelihood of sensitive data being transmitted to external servers.
The operational disruption and financial impact could have been limited, reducing the overall severity of the attack.
Impact at a Glance
Affected Business Functions
- Financial Operations
- Customer Service
- Supply Chain Management
Estimated downtime: 14 days
Estimated loss: $80,000
Potential exposure of sensitive corporate data, including financial records and client information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent lateral movement.
- • Utilize East-West Traffic Security to monitor and control internal traffic, detecting unauthorized movements.
- • Deploy Egress Security & Policy Enforcement to restrict unauthorized data exfiltration and command and control communications.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly review and update IAM policies to ensure proper privilege management and reduce the risk of privilege escalation.
