Bearlyfy's GenieLocker: When Ransomware Becomes a Geopolitical Wiper

Just caught the report on Bearlyfy (aka Labubu) hitting over 70 Russian firms with a new strain called GenieLocker. Given the pro-Ukrainian attribution and the quote about "inflicting maximum damage," this sounds less like a financially motivated ransomware operation and more like a wiper disguised as ransomware.

Since it's a custom Windows strain, standard decryptors likely won't work. The group's dual-purpose approach suggests they might exfiltrate data for leaks while encrypting or destroying files to disrupt operations. For those of us monitoring supply chains or multinational entities, the collateral damage risk is real if they move up the chain.

I've been digging into potential Indicators of Compromise (IOCs) based on similar custom loaders. If you're hunting for this, check for unusual PowerShell execution chains and persistence mechanisms in the Run keys.

Here is a quick KQL query for Microsoft Sentinel to look for suspicious process creation patterns often associated with custom loaders:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoOriginalFileName =~ "powershell.exe" or ProcessVersionInfoOriginalFileName =~ "cmd.exe"
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "-w hidden"
| where ProcessCommandLine has "FromBase64String"
| summarize count() by DeviceName, ProcessCommandLine
| sort by count_ desc


Also, keep an eye on the registry for persistence. I'd recommend checking for unsigned binaries launching from these paths:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, @{N='Value'; E={$_.PSObject.Properties.Value}} | Where-Object { $_.Value -match "\\AppData\\" }

Has anyone else started building detection rules for GenieLocker specifically, or are we relying on generic behavioral analysis for now?