Colegio María Inmaculada Ransomware by Bavacai (May 2026)

Claim Summary

On May 5, 2026, the ransomware group Bavacai allegedly claimed responsibility for a cyberattack against Colegio María Inmaculada (CMI), a Catholic school located in Moravia, Costa Rica. According to the group’s leak site post, the threat actor claims to have compromised multiple servers within the school’s network, including domain controllers, application servers, and HTTP servers. The post lists the domains cmi.local and mariainmaculada.ed.cr as impacted. The data volume allegedly stolen has not been disclosed by the group. This report is based solely on the unverified claims published by Bavacai and has not been independently confirmed by Yazoul Security or any third-party incident response team.

Threat Actor Profile

Bavacai is a ransomware group with limited public track record. As of this writing, there is no widely available research on their tools, tactics, or procedures (TTPs). The group’s total known victim count remains unknown, and no public YARA rules or detection signatures have been released for their ransomware strain. Based on the limited information available, Bavacai appears to be a relatively new or low-profile actor. Their credibility is difficult to assess due to the absence of a verified history of successful attacks or data leaks. Ransomware groups with minimal track records often exaggerate claims to build notoriety or pressure victims into paying ransoms. Without independent verification, the authenticity of this claim should be treated with high skepticism.

Alleged Data Exposure

The leak site post claims that Bavacai gained access to the following servers within CMI’s network:

• CMI-DC01 (likely a domain controller)
• CMI-APP (application server)
• CMI-HTTP2 (web server)
• main-server1 and main-server2

The group has not provided any sample data, file listings, or evidence of exfiltration. The absence of data samples or proof-of-compromise files is a common tactic among low-credibility groups to create uncertainty. It is possible that the group only gained limited access, or that the claim is entirely fabricated. The school’s primary domain mariainmaculada.ed.cr and internal domain cmi.local were both listed, suggesting the attacker may have had internal network visibility.

Potential Impact

If the claim is verified, the potential impact on Colegio María Inmaculada could include:

• Disruption of academic and administrative operations due to compromised servers
• Potential exposure of student, staff, and financial records
• Loss of trust among parents, students, and the broader community
• Regulatory scrutiny under Costa Rican data protection laws (Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales)

However, given the lack of evidence, the actual impact may be minimal or nonexistent. The school should conduct a thorough internal investigation and engage a qualified incident response team to assess the validity of the claim.

What to Watch For

• Monitor for any subsequent communications from Bavacai, including data samples or ransom demands
• Check for unusual network activity, especially on domain controllers and application servers
• Review access logs for unauthorized authentication attempts or lateral movement
• Prepare for potential data leak postings if the group escalates pressure
• Consider public disclosure obligations under Costa Rican law if data is confirmed compromised

Disclaimer

This intelligence report is based solely on unverified claims published by the ransomware group Bavacai on their leak site. Yazoul Security has not independently verified the accuracy, authenticity, or scope of the alleged attack. Ransomware groups frequently fabricate or exaggerate claims to coerce victims into paying ransoms. No data samples, download links, credentials, or .onion URLs are included in this report. Organizations should treat this information as unconfirmed and conduct their own due diligence before taking any action. For more information on ransomware threat intelligence, visit our intel page at /intel/.