Ransomware Group intelligence

Bavacai

Active

Track Bavacai with 16 published victims and 1 known leak locations in a single intelligence view.

Victims 16 Known published victims in this dataset

First discovered 2026-05-05 Earliest victim discovery date

Last discovered 2026-05-05 Latest victim discovery date

Inactive since 29 days Days since the latest known victim

Top country United States 4 victims

Known locations 1 Leak or negotiation infrastructure tracked

Bavacai is tracked by Breach House as a ransomware group with 16 published victims.

United States is currently the most targeted country in this dataset.

1 known leak locations are currently associated with this group.

Top Countries

Distribution

Label	Type	Availability	Links
Leak location 1	Onion service	Unknown	`t33zoj4qwv455fog7qnb2azi5xcdxkixughmmduzbw2rtdgryqfbh6id.onion`

No sector intelligence available.

Ransom Notes (0)

▼

No ransom notes available for this group.

Tools Used

▼

No tools used available.

YARA Rules (0)

▼

No YARA rules available.

Indicators of Compromise (0)

▼

No IoCs available for this group.

Negotiation Chats (0)

▼

No negotiation chats available.

No external research sources linked yet.

Victims (16)

Search, filter and paginate the victim timeline for Bavacai.

Type	Target	Discovered	Country	Business Category
Ransomware	Elken Sdn Bhd id28830 View details	2026-05-05	Malaysia	Retail / E-commerce
MLM / health & beauty products company. ~16k emails extracted. ID 28830
Ransomware	Bandeirante Supermercados id28831 View details	2026-05-05	Brazil	Retail / E-commerce
Brazilian supermarket chain. ID 28831
Ransomware	Strategic Imports id28832 View details	2026-05-05	Australia	Retail / E-commerce
Australian auto parts/batteries importer. Brands: Strategic Imports, Auto Parts Now, Discount Batteries Now. User: bstuart (Brad Stuart). QNAP NAS (CACHEDEV1_DATA). ID 28832
Ransomware	Magnolia (Israel) id28833 View details	2026-05-05	Israel	Retail / E-commerce
Israeli jewelry company. Silver & accessories, participates in Vicenza jewelry fair (2025/2026). Sells via buyme.co.il gift cards. ~38k files, invoices in Hebrew (SI/IN/OV prefix). ID 28833
Ransomware	Trimble Inc / Gerrard Inc id28834 View details	2026-05-05	United States	IT
Technology company Trimble (trimble.com) and Gerrard Inc (gerrardinc.com). ~18 Trimble email addresses. ID 28834
Ransomware	Atencio Engineering id28835 View details	2026-05-05	United States	Manufacturing / Engineering
Civil engineering & land surveying firm. Services: site plans, boundary surveys, OWTS (septic) design, fire line design, elevation certificates, flood plain analysis. Clients in Las Animas County, Pueblo County, Florence CO area. ID 28835
Ransomware	SIT Group / Robusta id28836 View details	2026-05-05	Italy	Manufacturing / Engineering
Italian company SIT Group (sitgroup.it) and Bulgarian Robusta (robusta.bg). Also abv.bg emails. ID 28836
Ransomware	Desert Christian Schools (DCS) id28837 View details	2026-05-05	United States	Education
K-12 Christian school affiliated with First Baptist Church of Lancaster, CA. ADP payroll, DCFS childcare program, City of Lancaster Water Safety program. Financial docs: P&L, Balance Sheet, Trial Balance, 1099s. School Board minutes 2025. ID 28837
Ransomware	CourtSmart id28838 View details	2026-05-05	United States	IT
Court technology company. Domain courtsmart.com / COURTSMART2. Dev server: dev-rich20.courtsmart.com. Connections to JIS.org, nashville.org. ID 28838
Ransomware	Hathcock (Personal) id28839 View details	2026-05-05		Other
Personal comprehensive reports. Individuals: Noel Ray Hathcock, Trinity John Hathcock. ID 28839
Ransomware	ActionAid / TACOSA id28840 View details	2026-05-05	United Kingdom	NGOs / Associations
NGO sector. Domains: actionaid.org, tacosa.org.za, immigration.go.tz. ID 28840
Ransomware	Palmers Relocations id28841 View details	2026-05-05	United Kingdom	Transportation / Travel / Logistics
Australian international removals & relocation company. FIDI accredited, ISO 9001:2015 certified. Services: household moves, storage, customs, immigration (IMMI/VEVO). Operates Melbourne area (Pascoe Vale, Dandenong, Caulfield). ID 28841
Ransomware	Académie de Montpellier / CSJM id28842 View details	2026-05-05	France	Education
French public school network. Domain CSJM.BEZIERS, part of Académie de Montpellier (ac-montpellier.fr). Occitanie region (laregion.fr). Teacher and admin staff credentials. ID 28842
Ransomware	Colegio María Inmaculada (CMI) id28843 View details	2026-05-05	Costa Rica	Education
Catholic school in Moravia, Costa Rica. Domain cmi.local / mariainmaculada.ed.cr. Servers: CMI-DC01, CMI-APP, CMI-HTTP2, main-server1/2. ID 28843
Ransomware	CEAGESP / Netfeirasp id28844 View details	2026-05-05	Brazil	Agriculture / Food
Brazilian produce wholesale market network. Domain netfeirasp.ceagesp (CEAGESP). Also demarchibrasil.com.br accounts. ID 28844
Ransomware	Raycolighting id28845 View details	2026-05-05	United Kingdom	Manufacturing / Engineering
Organization with 2 emails extracted. Domain: raycolighting.com ID 28845

Bavacai

Overview

Top Countries

Known Leak Locations (1)

Top Activity Sectors