Bavacai — Technical Analysis (Windows)

BAVACAI is a single-stage Windows x64 ransomware sample analyzed in depth: it uses RSA-2048 (CryptoAPI, PKCS#1 v1.5) to wrap per-victim keys and ChaCha20 (DJB 8-byte-nonce variant, no MAC) for file encryption, appends a 1544-byte footer per file containing a master-wrapped victim private key and a victim-wrapped per-file ChaCha20 key/nonce, and renames files with the .BAVACAI extension. The binary includes multi-threaded scanning, target prioritization for .sql/.bak/.VHDX, Restart Manager unlocking, mapped-network-drive handling with PPID spoofing for a network-processing child, pre-run commands to remove recovery artifacts, and persists victim public/private blobs in HKLM\SOFTWARE\PAIDMEMES; it lacks network exfiltration, robust anti-analysis, and contains several operator/developer errors (typos, malformed commands, plaintext config key material).