Introduction
The cybersecurity landscape is witnessing a surge in ideologically motivated attacks, blurring the lines between hacktivism and destructive cyber warfare. Recent reports highlight the activities of "Bearlyfy" (also known as Labubu), a pro-Ukrainian group that has targeted over 70 Russian entities since January 2025. Unlike financially motivated cybercriminals, Bearlyfy operates with a singular focus on inflicting maximum operational disruption.
For security defenders, the emergence of their custom malware strain, GenieLocker, serves as a critical reminder: relying solely on signature-based antivirus is no longer sufficient. When threat actors develop custom encryption tools, they often bypass traditional detection methods. This post analyzes the GenieLocker threat and provides actionable defensive measures to protect your organization against similar custom ransomware campaigns.
Technical Analysis
Bearlyfy represents a dual-purpose threat actor combining hacktivist motivations with destructive capabilities. Their primary weapon, GenieLocker, is a custom Windows-based encryption tool. Unlike commodity ransomware variants (like LockBit or Conti) which are widely distributed and well-documented, GenieLocker is a bespoke strain developed specifically for Bearlyfy's operations.
Key Technical Details:
- Malware Type: Custom Windows encryption-based ransomware.
- Targeting: Focused on Russian businesses, but the methodology (custom encryption tools) poses a risk to any organization.
- Severity: High. The group aims for maximum damage, implying potential data destruction rather than just encryption for extortion.
- Detection Challenge: As a custom strain, GenieLocker may not have immediate IoCs (Indicators of Compromise) available in commercial threat feeds upon initial deployment. This necessitates a focus on behavioral analysis and anomaly detection rather than static signatures.
Defensive Monitoring
Because GenieLocker is custom malware, defenders must rely on detecting the behavior of ransomware—specifically, the rapid encryption of files—rather than waiting for a specific file signature.
KQL Queries for Microsoft Sentinel/Defender
The following KQL query helps detect potential ransomware activity by identifying a sudden spike in file modifications or creations with changed extensions, a common behavior of encryption tools like GenieLocker.
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType in ("FileCreated", "FileModified")
| extend FileExtension = tostring(parse_path(FileName, "Extension"))
// Detect if files are being renamed or modified rapidly
| summarize Count = count(), DistinctExtensions = dcount(FileExtension) by DeviceName, bin(Timestamp, 5m)
| where Count > 50 // Threshold for rapid file changes
| project DeviceName, Timestamp, Count, DistinctExtensions
| order by Timestamp desc
To further investigate, you can look for specific processes that are spawning these file changes. This query identifies processes interacting with a high volume of files, which is suspicious for ransomware.
DeviceProcessEvents
| join kind=inner (
DeviceFileEvents
| where Timestamp > ago(1h)
| summarize FileCount = count() by DeviceId, InitiatingProcessFileName, bin(Timestamp, 5m)
| where FileCount > 30
) on DeviceId
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileCount
PowerShell Verification Script
Use this PowerShell script to audit systems for signs of mass file encryption, such as the presence of ransom notes or bulk file extension changes in user directories.
# Script to check for mass file extension changes (ransomware artifact)
$TargetDrive = "C:\"
$UserDirs = @("Users\*\Documents", "Users\*\Desktop", "Users\*\Pictures")
Write-Host "Scanning for potential encryption artifacts..." -ForegroundColor Cyan
foreach ($Dir in $UserDirs) {
$Path = Join-Path -Path $TargetDrive -ChildPath $Dir
if (Test-Path $Path) {
# Group files by extension, look for unusual non-standard extensions or massive counts
$Extensions = Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue |
Group-Object Extension |
Where-Object { $_.Count -gt 10 -and $_.Name -notin (".txt", ".lnk", ".docx", ".xlsx", ".pdf") }
if ($Extensions) {
Write-Host "Suspicious file activity found in: $Path" -ForegroundColor Yellow
$Extensions | Select-Object Name, Count | Format-Table -AutoSize
}
}
}
Remediation
To defend against custom ransomware strains like GenieLocker and other destructive threats, organizations must adopt a defense-in-depth strategy.
1. Implement Application Allowlisting (App Control) Since custom malware often relies on executing unknown binaries in user directories or temporary folders, strict allowlisting policies (such as Windows Defender Application Control - WDAC) should be enforced. Ensure that only signed and approved applications can run in sensitive environments.
2. Restrict User Privileges (Least Privilege) GenieLocker requires permissions to modify files to encrypt them. Ensure users do not have local admin rights and strictly limit write access to critical network shares. If a compromised account cannot write to a file server, the ransomware cannot encrypt it.
3. Harden Remote Access Protocols Many ransomware attacks, including those by hacktivist groups, begin with the compromise of external-facing services like VPNs or RDP. Enforce MFA aggressively and place remote access infrastructure behind a Zero Trust Network Access (ZTNA) gateway.
4. Enable Ransomware Protection in Windows Defender Ensure "Controlled folder access" is enabled across endpoints. This feature prevents untrusted applications from writing to protected folders (Documents, Desktop, Pictures, etc.), which neutralizes many encryption attempts.
5. Offline Backups and Recovery Drills The ultimate remediation for destructive incidents is a reliable restore. Maintain immutable, offline backups. Regularly test your restoration procedures to ensure your team can recover operations quickly without paying ransoms or losing data to destructive payloads.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.