Security Briefing March 30, 2026 · 8 min read

Pro-Ukraine Bearlyfy Deploys Custom GenieLocker Ransomware Against Russia, LeakBase Admin Arrested, EU Parliament Kills CSAM Scanning

Pro-Ukraine hacker group Bearlyfy evolves from script-kiddie origins to deploying custom GenieLocker ransomware against major Russian enterprises. Russia arrests the alleged administrator of the LeakBase cybercrime forum weeks after a global takedown. The European Parliament votes down CSAM scanning extension in a landmark privacy decision. The Dutch Finance Ministry investigates unauthorized access to internal systems. Spain's Port of Vigo is forced to manual operations after ransomware strikes cargo systems.


1. Bearlyfy Deploys Custom GenieLocker Ransomware — 70+ Attacks on Russian Companies

⚠ CRITICAL — Escalating Hacktivist Ransomware Campaign

Pro-Ukrainian hacker group Bearlyfy has carried out over 70 cyberattacks on Russian companies in one year, with ransom demands escalating from thousands to hundreds of thousands of dollars. The group now deploys custom-built ransomware called GenieLocker.

A pro-Ukrainian hacking group known as Bearlyfy has transformed from a low-skill operation targeting small Russian businesses into what Russian cybersecurity firm F6 calls "a real nightmare for large Russian businesses." First appearing in January 2025, the group has carried out more than 70 cyberattacks against Russian targets in just over a year.

Custom Malware Development

Since early March 2026, Bearlyfy has deployed GenieLocker, a custom-built Windows ransomware strain believed to be developed entirely by the group itself. This marks a significant evolution from their earlier reliance on leaked tools like LockBit 3 Black (from the 2022 LockBit builder leak) and modified Babuk ransomware for Linux targets.

Unlike typical ransomware operations, GenieLocker doesn't always auto-generate ransom notes. Attackers sometimes craft messages manually — ranging from terse instructions with contact details to mocking taunts directed at victims.

Operational Profile

Strategic Context

Bearlyfy represents a growing trend of politically motivated ransomware operations emerging from the Russia-Ukraine conflict. The group's rapid evolution — from amateur script-kiddie operations to custom malware development in just one year — demonstrates how wartime conditions accelerate threat actor maturation.


2. Russia Arrests Alleged LeakBase Cybercrime Forum Administrator

🔶 HIGH — Major Cybercrime Forum Takedown

Russian police have detained a suspected administrator of LeakBase, a major marketplace for stolen data with 147,000+ registered users, weeks after a coordinated FBI-European takedown operation.

Russia's Interior Ministry announced the arrest of a Taganrog resident suspected of running LeakBase, one of the largest online marketplaces for stolen personal data. The forum hosted hundreds of millions of compromised user records including banking information, login credentials, and corporate documents.

Timeline and Coordination

The arrest follows a coordinated international operation earlier this month in which the FBI and European partners conducted more than 100 law enforcement actions against 45 individuals across more than a dozen countries. Several LeakBase domains were seized and redirected to FBI-controlled servers.

Key Details

Significance

The arrest is notable because Russia rarely cooperates with Western cybercrime investigations — Europol suspended cooperation after the 2022 invasion of Ukraine. Whether Russian authorities coordinated with Western law enforcement or acted independently remains unclear. The forum's rule banning Russian data sales suggests the admin may have believed this would provide domestic protection — a calculation that proved wrong.


3. EU Parliament Rejects CSAM Scanning Extension — Landmark Privacy Decision

📡 Policy & Regulation — EU Digital Rights

The European Parliament voted 311 against extending rules that have allowed tech companies to scan their platforms for child sexual abuse material (CSAM) for nearly two decades. The current law, which exempts platforms from strict EU privacy rules to enable scanning, expires next week.

Privacy vs. Child Protection

The vote came despite intense lobbying from law enforcement (Europol), children's rights organizations, German Chancellor Friedrich Merz, several European commissioners, and major tech companies including Google, Snapchat, Microsoft, TikTok, and Meta.

Digital rights group eDRI's Ella Jakubowska defended the vote: "This is actually just enabling big tech companies to scan all of our private messages, our most intimate details. It's not targeted against people suspected of child abuse — it's just targeting everyone, potentially all of the time."

Operational Impact

What Happens Next

When the current rules lapse next Friday, tech platforms will no longer have legal cover to scan for CSAM in interpersonal communications within the EU. This creates a significant gap in child protection capabilities while Parliament continues negotiating a permanent framework that balances privacy with safety.


4. Dutch Finance Ministry Investigates Breach of Internal Systems

🔶 HIGH — Government Infrastructure Compromised

The Dutch Ministry of Finance has confirmed unauthorized access to internal systems, part of a wave of cyberattacks hitting Dutch organizations in 2026.

The Netherlands Ministry of Finance is investigating a cyberattack that compromised internal systems, discovered after a third-party alert flagged suspicious activity. Affected systems were identified and taken offline, but the scope of potential data exposure remains under investigation.

Context: Dutch Cyber Siege

The breach is the latest in a troubling pattern targeting Dutch institutions in 2026:

Response Status


5. Ransomware Forces Spain's Port of Vigo to Manual Operations

⚠ CRITICAL — Maritime Critical Infrastructure Attack

A ransomware attack has knocked digital cargo management systems offline at Spain's Port of Vigo, forcing manual operations at one of Europe's largest fishing ports.

A ransomware attack detected early Tuesday has disrupted digital systems at Spain's Port of Vigo, one of Europe's major fishing and cargo ports in the Galicia region. The attack targeted servers managing cargo traffic and digital services, locking equipment and demanding a ransom payment.

Operational Impact

While physical operations — ship movements and cargo handling — continue, all logistics coordination normally managed through digital platforms has been disrupted. Operators have been instructed to fall back on manual procedures and paper documentation.

Port president Carlos Botana took a firm stance: "We will not restore connections until there are absolute guarantees that there is no possibility of another attack." No timeline for restoration has been provided.

Maritime Sector Under Siege

The attack continues a pattern of ransomware targeting maritime critical infrastructure:

Defensive Guidance for Maritime Organizations


Threat Landscape Summary

ThreatSeverityAction Required
Bearlyfy GenieLocker ransomwareCRITICALRussian-facing orgs: heighten ransomware defenses
LeakBase admin arrestedPOSITIVECheck credential exposure via LeakBase datasets
EU CSAM scanning votePOLICYTech platforms: review CSAM detection legal posture
Dutch Finance Ministry breachHIGHDutch partners: verify no shared infrastructure exposure
Port of Vigo ransomwareCRITICALMaritime orgs: review OT/IT segmentation and fallbacks

Stay Ahead of the Threat Curve

Daily intelligence briefings, real-world attack analysis, and actionable defensive guidance.

Explore KENSAI

— KENSAI Security Intelligence · Published March 30, 2026

Related Articles

KENSAI vs Aikido Security: Le... Redirecting... Redirecting...