Bavacai
Bavacai is the rebranded name of the MedusaLocker ransomware-as-a-service group, entering the Bitdefender ransomware top ten in June 2026.
Last refreshed: 14 June 2026 · Appears in 1 active topic
Why do ransomware groups rebrand rather than shut down, and does the new name change the threat?
Timeline for Bavacai
Entered the ransomware top ten under the Bavacai rebrand following MedusaLocker's rebranding
Cybersecurity: Threats and Defences: Crews now cross-claim each rival victim- Is Bavacai the same as MedusaLocker ransomware?
- Yes. Bavacai is a rebrand of MedusaLocker, confirmed in Bitdefender's June 2026 Threat Debrief. The underlying infrastructure and TTPs are believed to be a continuation of the MedusaLocker operation.Source: Bitdefender Threat Debrief June 2026
- Why do ransomware groups change their name?
- Rebranding lets groups reset their reputation in threat-intelligence databases, avoid law-enforcement attention linked to the old name, and recruit fresh affiliates who are wary of high-profile brands.Source: Bitdefender Threat Debrief June 2026
- What sectors does Bavacai target?
- Bavacai's predecessor MedusaLocker was known for targeting healthcare, manufacturing, and education. Bitdefender's May 2026 data showed construction overtaking manufacturing as the most-targeted sector overall.Source: Bitdefender Threat Debrief June 2026
Background
Bavacai is the rebranded operating identity of the MedusaLocker ransomware-as-a-service (RaaS) group, which entered Bitdefender's ransomware top ten for May 2026 under the new name. MedusaLocker had operated since at least 2019 as a mid-tier RaaS platform known for targeting healthcare, manufacturing, and education sectors. The rebrand follows a pattern common in the RaaS ecosystem: groups adopt new names to distance themselves from law-enforcement scrutiny, disrupt threat-intelligence tracking, and attract affiliates who avoid programmes with high visibility.
Bitdefender's June 2026 debrief, which tracked 714 May victims across major leak sites, recorded Bavacai's top-ten entry alongside the exits of KryBit and ShinyHunters following law-enforcement pressure. The debrief also documented a broader structural shift in which affiliates move freely between RaaS programmes and cross-claim victims posted by rival crews, a dynamic that makes tracking rebranded groups like Bavacai inherently difficult. Bavacai is the entity listed on leak-site posts; the underlying infrastructure is believed to be a continuation of MedusaLocker's.
For defenders, Bavacai's indicators of compromise and TTPs (tactics, techniques and procedures) align closely with legacy MedusaLocker campaigns. Organisations that have previously faced MedusaLocker targeting should treat Bavacai as the same operational threat under a different name, without assuming a change in capability or sector focus.