Bavacai CTI Report

Technical reverse-engineered analysis of the BAVACAI Windows x64 ransomware: it uses RSA-2048-wrapped ChaCha20 to encrypt files and appends a .BAVACAI extension, persists victim keys in HKLM\SOFTWARE\PAIDMEMES, writes a ransom note WHATS_HAPPEND.txt, and exposes numerous fingerprintable artefacts (typos, PDB path, hardcoded strings). The build contains no network exfiltration or lateral movement primitives, targets local and mapped drives depending on privilege, and leaves a self-contained footer per file; detection IOCs and response priorities are provided.