Ransomware Group intelligence
Bavacai
ActiveTrack Bavacai with 16 published victims and 1 known leak locations in a single intelligence view.
Overview
Bavacai is tracked by Breach House as a ransomware group with 16 published victims.
United States is currently the most targeted country in this dataset.
1 known leak locations are currently associated with this group.
Top Countries
Interactive distribution based on the currently visible victims list.
Known Leak Locations (1)
| Label | Type | Availability | Links |
|---|---|---|---|
| Leak location 1 | Onion service | Unknown | t33zoj4qwv455fog7qnb2azi5xcdxkixughmmduzbw2rtdgryqfbh6id.onion |
Top Activity Sectors
No sector intelligence available.
Ransom Notes (0)
▼No ransom notes available for this group.
Tools Used
▼No tools used available.
YARA Rules (0)
▼No YARA rules available.
Indicators of Compromise (0)
▼No IoCs available for this group.
Negotiation Chats (0)
▼No negotiation chats available.
Research Sources
No external research sources linked yet.
Victims (16)
Search, filter and paginate the victim timeline for Bavacai. Showing 1–16 of 16.
| Type | Target | Discovered | Country | Business Category | Intel Link |
|---|---|---|---|---|---|
| Ransomware | Elken Sdn Bhd id28830 View details | Malaysia | Retail / E-commerce | ||
|
Elken is a Malaysia-based direct-selling and e-commerce business headquartered in Subang Jaya, Selangor, with its website at elken.com. The company says it was founded in 1995 and focuses on enriching lives through quality products, innovation, and opportunities across its international operations. Public company profiles place it in the Electronic Shopping and Mail-Order Houses sector, reflecting its online retail and distribution activity. It was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | Bandeirante Supermercados id28831 View details | Brazil | Retail / E-commerce | ||
|
bandeirantesupermercados.com.br is the official website of Bandeirante Supermercados, a Brazilian supermarket chain based in São Paulo state. The site presents store information, opening hours, promotional offers, online shopping access, and links to the company’s e-commerce channel for home grocery purchases. Public company profiles indicate operations in Birigui and Araçatuba, with physical stores and digital retail services. It was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | Strategic Imports id28832 View details | Australia | Retail / E-commerce | ||
|
Strategic Imports is an Australian retail and e-commerce business operating in the consumer goods supply and online sales space. In Australia, retail and e-commerce companies commonly sell through digital storefronts and cross-border import channels to meet demand for online shopping. As a merchant in this sector, Strategic Imports would fit the profile of businesses handling product sourcing, fulfillment, and customer-facing commerce operations. It was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | Magnolia (Israel) id28833 View details | Israel | Retail / E-commerce | ||
|
magnolia-jewellery.com is the website of Magnolia Silver Jewellery Group, an Israel-based retailer of handcrafted designer jewelry with a principal location in Kfar Sava, Israel. Public company profiles describe Magnolia as a long-running jewelry business founded in 1996 that sells branded sterling silver jewelry through retail branches and kiosk locations, alongside its online presence. As a retail and e-commerce brand, it operates in a customer-facing sector where product presentation, fulfillment, and digital storefront performance are central to the business model. It was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | Trimble Inc / Gerrard Inc id28834 View details | United States | IT | ||
|
Trimble is a US-based technology company headquartered in Westminster, Colorado, that develops software, hardware, and services for industries including construction, geospatial, transportation, and related industrial workflows. Its offerings include system solutions such as GNSS receivers, optical devices, machine guidance systems, and widely used software and service platforms that connect physical and digital operations. The company presents itself as an industrial technology provider focused on helping customers keep work moving forward across connected ecosystems. trimble.com was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | Atencio Engineering id28835 View details | United States | Manufacturing / Engineering | ||
|
atencioengineering.com belongs to Atencio Engineering, Inc., a civil engineering firm based in Colorado City, Colorado, with a satellite office in Amalia, New Mexico. The company says its primary goal is to provide professional civil engineering services to small communities throughout southern Colorado and northern New Mexico, and it offers consulting engineering services through its site. Its business profile places it within the broader manufacturing and engineering ecosystem as an engineering services provider in the United States. It was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | SIT Group / Robusta id28836 View details | Italy | Manufacturing / Engineering | ||
|
sitgroup.it is the website of SIT Group, an Italian manufacturing and engineering company headquartered in Padua, Veneto. The group develops and manufactures measuring devices, meters, and control systems focused on safety, comfort, and performance for domestic gas appliances and related equipment. Its operations include production sites and research centers in Italy, reflecting a long-running industrial and technology-oriented business. The site was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | Desert Christian Schools (DCS) id28837 View details | United States | Education | ||
|
Desert Christian Schools (DCS) is a private Christian K-12 school in Lancaster, California, serving students in the Education sector. The school operates under desertchristian.com and is listed by the California Department of Education as a private K-12 school at 44662 15th St. West in Lancaster. Its own materials describe programs for children, youth, and adults in the Antelope Valley, and its academic profile notes high-school dual-credit partnerships. It was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | CourtSmart id28838 View details | United States | IT | ||
|
Courtsmart.com is the website of CourtSmart Inc., a Massachusetts-based IT company in North Chelmsford, US. The company provides enterprise audio and video recording, surveillance, and video conferencing solutions, with products used for courtroom proceedings and related recording needs. CourtSmart says its technology supports automated digital audio recording, video recording, public access, and evidence presentation. Its offerings are positioned for secure recording and communications environments across public-sector and commercial settings. The site was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | Hathcock (Personal) id28839 View details | Other | |||
|
Hathcock (Personal) is a personal-name entity tracked in ransomware-intelligence databases as part of the broader Other sector. Public listings do not identify a formal company profile, operating location beyond the available record, or a described product and service lineup, so the safest characterization is that it is an individually named victim entry rather than a clearly profiled business. In threat-intelligence catalogs, such entries are used to index claimed incidents and support monitoring of ransomware activity. It was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | ActionAid / TACOSA id28840 View details | United Kingdom | NGOs / Associations | ||
|
ActionAid is an international non-governmental organization headquartered in South Africa with operational hubs in Europe, including GB, dedicated to reducing poverty and promoting human rights worldwide. The organization works with over 15 million people across 45 countries, focusing on women's rights, climate justice, economic justice, and emergency response through local partner organizations. Its primary offerings include research on austerity impacts, advocacy against corporate capture of public funds, and programs supporting education and social protection for vulnerable communities. ActionAid was listed as a ransomware victim associated with the threat actor Bavacai. |
|||||
| Ransomware | Palmers Relocations id28841 View details | United Kingdom | Transportation / Travel / Logistics | ||
|
Palmers Relocations is an Australia-based transportation, travel, and logistics company that provides moving and storage services for households and businesses. Company listings describe local, interstate, and international relocations, with operations in Sydney and Melbourne and support for moves across Australia and overseas. It presents itself as a family-owned removals provider with end-to-end relocation solutions. Palmers Relocations was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | Académie de Montpellier / CSJM id28842 View details | France | Education | ||
|
ac-montpellier.fr is the official website of the Académie de Montpellier, the French education authority based in Montpellier, Occitanie, serving the Aude, Gard, Hérault, Lozère and Pyrénées-Orientales departments. It publishes academic guidance and school information for primary, middle and secondary education, along with programs, pedagogy resources, innovation initiatives and administrative notices. The site also provides contact details for the rectorate in Montpellier and information on international sections and admissions across the academy. In threat-intelligence listings, ac-montpellier.fr was recorded as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | Colegio María Inmaculada (CMI) id28843 View details | Costa Rica | Education | ||
|
mariainmaculada.ed.cr belongs to Colegio María Inmaculada de Moravia, a private Catholic educational institution in Costa Rica. The school serves multiple formal education levels and says it follows the pedagogy and spirituality of the Franciscan Sisters of Mary Immaculate and Saint Francis of Assisi. Its site also references primary education services and school contact information in San José, indicating an active campus presence in the country. In threat-intelligence listings, mariainmaculada.ed.cr was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | CEAGESP / Netfeirasp id28844 View details | Brazil | Agriculture / Food | ||
|
netfeirasp.ceagesp refers to a Brazilian entity in the Agriculture / Food sector, identified by the CEAGESP-related domain and described in public indexing as part of Brazil’s produce wholesale market network. CEAGESP is Brazil’s main wholesale food supply operator in São Paulo, handling the distribution and commercialization of fresh produce and other agricultural goods for buyers across the market chain. As a catalog entry, netfeirasp.ceagesp points to an organization connected to Brazil’s food distribution infrastructure rather than a consumer brand. It was listed as a ransomware victim associated with Bavacai. |
|||||
| Ransomware | Raycolighting id28845 View details | United Kingdom | Manufacturing / Engineering | ||
|
Rayco Lighting is a distinguished wholesaler based in Los Angeles, California, specializing in top-tier lighting and LED equipment for the Manufacturing and Engineering sectors. The company stands at the forefront of innovation in the lighting industry, offering an expansive portfolio of top-tier products designed to meet diverse client needs. As a key player in the lighting distribution market, Rayco Lighting provides high-quality and sustainable solutions including lamps and lighting fittings. The entity was neutrally listed as a ransomware victim associated with the threat actor Bavacai. |
|||||