— Bavaqai

Threat-actor battle card · maintained from public sources · last updated 2026-06-23 · also known as BAVACAI (variant spelling in CYFIRMA reporting)

CategoryRansomware

AttributionUnknown

First seen2026-05

StatusActive

Primary targetsEducation, Legal, Manufacturing, Retail, Logistics, Nonprofit; US, Brazil, France, Australia, Italy, Israel, Malaysia

Overview

Bavaqai is an emerging ransomware group that debuted in the global top-seven in May 2026 with 25 claimed victims — matching SafePay's debut count in the same month. Two new groups posting identical victim totals in a single month is unusual; Bavaqai's rapid appearance alongside SafePay and Nova suggests a wave of new operators capitalising on the operational vacuum left by RansomHub's disruption and LockBit's rebuild. Its DLS (data-leak site) posts victims across six countries, with the US as the primary target.

Attribution is unknown. No CIS-exclusion kill-switch or recognizable lineage has been confirmed in public reporting.

Tradecraft

• Persistence: autorun registry key under CurrentVersion\Run to survive reboots.
• Execution: cmd.exe for scripted infection and control commands.
• Impact: terminates SQL and related database services (via taskkill / net stop) to unlock locked files before encryption.
• Ransom note: read_to_decrypt_files.html dropped across directories post-encryption.
• Extortion model: double-extortion (encrypt + DLS publication); negotiation range reported at $10,000–$80,000.
• Initial access vector: not publicly confirmed.
• Encryption algorithm: not publicly confirmed.

Notable victims

Victims from May 2026 DLS posts (Breachsense May 2026 report): - mariainmaculada.ed.cr — education/Costa Rica - courtsmart.com — legal tech/US - desertchristian.com — education/US - elken.com — direct sales/Malaysia - karneslegal.com — legal/US

Assessment

Bavaqai's rapid debut at 25 victims in its first observed month places it firmly in the emerging-operator tier. Technical detail remains thin — no authoritative malware analysis from CISA, FBI, or major threat intel vendors has been published as of this card's creation. The $10k–$80k ransom range and multi-sector targeting suggest opportunistic targeting rather than a vertically specialized operation. Monitor CYFIRMA, Breachsense, and ransomware.live for the group's June 2026 victim tally and any technical disclosures; promote to Tier-1 with confirmed L3M counts once June figures publish.

Sources

• Breachsense — May 2026 Ransomware Report
• CYFIRMA — Weekly Intelligence Report 08 May 2026
• ransomware.live — Bavaqai group page

🗂️ Attacks & victims

All disclosed victims attributed to this actor, newest first.

No attacks recorded yet.

---

← All threat actors · Full victim database →