MedusaLocker
MedusaLocker is a ransomware-as-a-service group that rebranded as Bavacai in mid-2026, entering the Bitdefender ransomware top ten under the new name.
Last refreshed: 14 June 2026 · Appears in 1 active topic
Is MedusaLocker still active under its new Bavacai identity?
Timeline for MedusaLocker
Rebranded as Bavacai and entered the ransomware top ten
Cybersecurity: Threats and Defences: Crews now cross-claim each rival victim- What is MedusaLocker ransomware?
- MedusaLocker is a ransomware-as-a-service operation active since around 2019, known for targeting healthcare and legal firms. It rebranded as Bavacai in mid-2026.Source: Bitdefender June 2026 threat debrief
- Did MedusaLocker rebrand to Bavacai?
- Yes. MedusaLocker rebranded as Bavacai in mid-2026 and immediately entered Bitdefender's ransomware top ten under the new name, retaining its existing infrastructure.Source: Bitdefender June 2026 threat debrief
- How does MedusaLocker encrypt victim files?
- MedusaLocker uses AES-256 for file encryption combined with RSA-2048 to protect the encryption key, a pairing common across mid-tier RaaS platforms.Source: Threat intelligence reporting
- Why do ransomware groups rebrand?
- Rebranding lets crews shed law-enforcement scrutiny and evade brand-level threat intelligence blocklists without rebuilding their technical infrastructure or affiliate networks.Source: event
Background
MedusaLocker operated as a ransomware-as-a-service platform for several years before rebranding as Bavacai in mid-2026 and entering Bitdefender's monthly threat top ten under the new name. The rebrand arrived alongside a structural shift in the criminal market: affiliates now move freely between competing RaaS programmes and cross-claim victims already posted by rival crews, eroding the brand loyalty that once kept crews stable. MedusaLocker's infrastructure and affiliate model survived the name change intact, which is why the new identity appeared in the rankings immediately rather than building from scratch.
MedusaLocker first emerged around 2019 and was characterised by a relatively low barrier to affiliate entry, use of AES-256 and RSA-2048 encryption, and targets concentrated in healthcare and legal services. The crew is not attributed to a specific nation-state and has operated across jurisdictions. Its longevity before rebranding reflects the broader pattern of ransomware operators cycling identities to shed law-enforcement scrutiny while preserving the technical infrastructure.
The rebrand-as-renewal tactic matters beyond this single crew: it is now the principal mechanism by which established RaaS operations evade brand-level threat intelligence blocklists without rebuilding tooling. Defenders tracking MedusaLocker by name alone will miss Bavacai activity unless they correlate on TTPs and infrastructure rather than group names.