LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Bavacai

Bavacai: The MedusaLocker Rebrand That Quietly Entered the Ransomware Top 10

Bavacai is the latest rebranding of the MedusaLocker ransomware family — and as of Q2 2026, it has joined the top 10 most active ransomware operations. This profile covers its attack chain, targeting patterns, and what makes it dangerous despite the familiar heritage.

By Ransomware Tracker ·
BavacaiMedusaLockerransomwarerebrandRDPdouble-extortionWindowssmall-medium-business
Threat Level
8/10
Sectors Targeted
healthcare
manufacturing
finance
transport
Ransomware Family
Bavacai

Overview

Bavacai is a ransomware operation built on the MedusaLocker codebase — a family that has been in continuous operation since 2019 and has generated more variant rebrandings than almost any other ransomware lineage. Alongside Nova (another MedusaLocker descendant that emerged in 2025), Bavacai entered the top 10 most active ransomware groups globally in Q1/Q2 2026, according to monitoring data from BlackFog and Cyble.

The MedusaLocker family is not notable for technical sophistication. What it is notable for is persistence, low barrier to deployment, and affiliates who have been running the playbook for years. Bavacai benefits from all of that operational experience while presenting a fresh brand that avoids the accumulated law enforcement attention on earlier MedusaLocker variant names.

Technical Profile

Bavacai is a Windows-targeted encryptor consistent with MedusaLocker’s core design:

Encryption: RSA-2048 for key protection, AES-256 for file encryption. Encrypted files receive a .bavacai extension. The ransom note (HOW_TO_RECOVER_DATA.html) is dropped in every encrypted directory.

Persistence: Registry run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and scheduled task creation to re-execute the encryptor if terminated before completion. Some samples also install a secondary persistence mechanism via the startup folder.

Defence evasion: Deletion of Volume Shadow Copies via vssadmin.exe delete shadows /all /quiet to prevent backup-based recovery. Termination of database services (SQL Server, MySQL, Oracle), backup agents (Veeam, Acronis, Backup Exec), and security tools before encryption begins.

Network propagation: Bavacai samples include SMB network propagation capability — the encryptor can traverse network shares and map drives, encrypting data accessible from the initially compromised endpoint. This capability significantly amplifies damage in environments with permissive lateral access to file servers.

Data exfiltration (pre-encryption): Like the broader MedusaLocker affiliate ecosystem, Bavacai operations typically include a pre-encryption exfiltration phase. rclone is the most commonly observed exfiltration tool, uploading to MEGA cloud storage. This data becomes leverage on the group’s leak site if ransoms are not paid.

Initial Access: RDP Brute Force at Scale

Bavacai affiliates rely overwhelmingly on RDP brute force as their primary initial access technique — a pattern consistent with MedusaLocker operations historically. Internet-exposed RDP endpoints with weak or reused credentials are scanned and attacked at scale, with access to successfully compromised accounts frequently purchased from initial access brokers who have already validated credentials.

The entry point profile is consistent: organisations that have not disabled or restricted RDP on internet-facing systems, or that have changed default port numbers without implementing compensating controls, are disproportionately represented in confirmed Bavacai victim lists.

From an RDP foothold, affiliates typically proceed through:

  • Local privilege escalation (commonly using well-known credential dumping to extract domain credentials)
  • Lateral movement to domain controllers and backup infrastructure
  • Exfiltration staging over 12-48 hours
  • Encryption payload deployment

The time from initial access to encryption in confirmed Bavacai incidents has ranged from under 12 hours to several days, depending on network complexity and whether affiliates encountered active defences.

Targeting

Bavacai does not appear to maintain explicit sector restrictions — a common MedusaLocker affiliate characteristic. Victims have included:

  • Healthcare: Dental and medical practices, regional hospitals, healthcare administration services
  • Manufacturing: Industrial suppliers, fabrication companies, SME manufacturers
  • Professional services: Legal practices, accountancy firms, consultancies
  • Transport and logistics: Freight operators, import/export businesses

The Australian automotive parts importer Strategic Imports appeared on Bavacai’s dark web leak site in Q2 2026, representing a confirmed example of the group’s geographic reach extending beyond North America into the Asia-Pacific region.

Unlike some ransomware operations, Bavacai does not appear to make systematic exclusions for geographic regions or sectors. Critical infrastructure adjacent organisations are not routinely listed in their confirmed victim base, but this appears to reflect targeting opportunism rather than deliberate exclusion.

Ransom Demands and Business Model

Bavacai operates a standard double-extortion model. Initial ransom demands in confirmed cases have ranged from approximately $25,000 for small businesses to $200,000 for mid-market organisations. Like most MedusaLocker-heritage operations, Bavacai affiliates have demonstrated willingness to negotiate and often settle for substantially less than the initial demand.

Data exfiltrated during pre-encryption operations is threatened for publication on the group’s Tor-hosted leak site if payment is not made within the specified deadline (typically 72-96 hours for first contact, extending to 7-10 days for negotiation). Confirmed cases suggest a payment rate consistent with the broader ransomware market — roughly 30-40% of victims pay.

Relationship to MedusaLocker Ecosystem

MedusaLocker is not a single ransomware group — it is a codebase with a permissive affiliate model that has generated dozens of distinct operational variants over six years. Some, like PhobosImpactor and Elbie, remained relatively obscure. Others, like MEDUSALOCKER itself and ReadText, achieved notable scale before being disrupted or rebranded. Bavacai and Nova represent the current generation of that lineage.

This persistence-through-rebranding is structurally significant. When law enforcement disrupts or gains attention on one variant, affiliates simply shift to a renamed operation using the same codebase, infrastructure patterns, and victim contact methods. There is no central organisation to disrupt — the code is available to anyone willing to pay for affiliate access, and the operational knowledge is distributed across dozens of experienced affiliates.

Defensive Recommendations

Given Bavacai’s reliance on RDP brute force as the primary initial access vector, the most impactful defensive actions are straightforward:

  • Disable direct internet-facing RDP. If remote desktop access is required, place it behind a VPN or a jump server with MFA. RDP should never be directly reachable from the public internet.
  • Enforce MFA for all remote access. Credential brute force attacks are neutralised by MFA. This is the single most effective control against this family of threats.
  • Monitor for mass authentication failures. Brute force at scale generates observable authentication failure volumes. Set alerts for sustained failed login attempts against domain accounts.
  • Restrict lateral RDP access. Internal RDP between workstations and servers should follow least-privilege principles. If a compromised endpoint can RDP to domain controllers, the blast radius of any intrusion is near-total.
  • Protect backup systems from the same network. Bavacai affiliates specifically target backup infrastructure before triggering encryption. Offline or immutable backups are essential.

The MedusaLocker lineage will continue to generate new variants. The attackers are experienced, the code is proven, and the business model works. Bavacai will eventually be replaced by the next rebrand. The defensive controls that neutralise it will remain the same.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting