Operator dossier

MEDUSA LOCKER (aka BAVACAI is a ransomware operator currently active on public leak sites. Darkfield has indexed 4 public victims claimed by this operator between May 15, 2026 and May 20, 2026. MedusaLocker (also identified under the alias BAVACAI) is a ransomware group first observed in May 2026, operating with a primary financial motivation consistent with contemporary cybercriminal ransomware operations. Due to the extremely limited public documentation available at this time — with only a single known victim on record and a very recent emergence date — comprehensive attribution, origin, and affiliation details cannot be responsibly stated without risking speculation beyond what is publicly confirmed by authoritative sources such as CISA, the FBI, or Mandiant. It should be noted that a separate, well-documented ransomware family also named MedusaLocker has been publicly tracked since 2019 and operates as a Ransomware-as-a-Service model; whether this BAVACAI-aliased entity represents a rebrand, offshoot, or entirely distinct group sharing the name is not confirmed by available public intelligence. Given the single known victim and the May 2026 first-observed date, this group should be considered an emerging or early-stage threat with minimal public threat intelligence footprint, and analysts are advised to treat any further characterization as preliminary pending additional reporting from law enforcement or the security research community. Monitoring for additional victim disclosures, leak site activity, and technical indicators will be necessary to develop a more complete operational profile.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

MEDUSA LOCKER (aka BAVACAI

4 victims indexed · first seen 6 days ago · last activity 1 day ago

Victims indexed

#256 of 348 tracked operators

<1m

Active period

May 2026 → May 2026

—

Countries hit

At a glance

Status: active
First seen: 6 days ago
Last activity: 1 day ago
Onion sites: 1 known endpoint

About

MedusaLocker (also identified under the alias BAVACAI) is a ransomware group first observed in May 2026, operating with a primary financial motivation consistent with contemporary cybercriminal ransomware operations. Due to the extremely limited public documentation available at this time — with only a single known victim on record and a very recent emergence date — comprehensive attribution, origin, and affiliation details cannot be responsibly stated without risking speculation beyond what is publicly confirmed by authoritative sources such as CISA, the FBI, or Mandiant. It should be noted that a separate, well-documented ransomware family also named MedusaLocker has been publicly tracked since 2019 and operates as a Ransomware-as-a-Service model; whether this BAVACAI-aliased entity represents a rebrand, offshoot, or entirely distinct group sharing the name is not confirmed by available public intelligence. Given the single known victim and the May 2026 first-observed date, this group should be considered an emerging or early-stage threat with minimal public threat intelligence footprint, and analysts are advised to treat any further characterization as preliminary pending additional reporting from law enforcement or the security research community. Monitoring for additional victim disclosures, leak site activity, and technical indicators will be necessary to develop a more complete operational profile.

Recent victims

Loading…

Onion infrastructure

1 known

http://t33zoj4qwv455fog7qnb2azi5xcdxkixughmmduzbw2rtdgryqfbh6id.onion

Source

Updated 1 day ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.