CourtSmart Ransomware Attack by Bavacai (May 2026)

Claim Summary

The ransomware group Bavacai has allegedly claimed responsibility for a cyberattack against CourtSmart, a US-based court technology company. According to the group’s leak site, the attack occurred on May 5, 2026, and involves the compromise of the domain courtsmart.com, as well as a development server at dev-rich20.courtsmart.com. The threat actor also claims connections to JIS.org and nashville.org, though the nature and extent of these connections remain unclear. The volume of data allegedly exfiltrated has not been disclosed by the group. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

Bavacai is a ransomware group with limited public visibility. As of this report, no confirmed total number of victims is available, and the group’s known tools and tactics remain poorly documented in open-source intelligence. No public research, YARA rules, or detection guidance currently exists for Bavacai. This lack of a known track record raises significant questions about the group’s operational maturity and credibility. Ransomware groups with minimal history often exaggerate claims to establish a reputation, and analysts should treat this claim with heightened skepticism. Without established TTPs (tactics, techniques, and procedures), it is difficult to assess whether the group uses common initial access vectors (e.g., phishing, RDP compromise) or custom tools. Yazoul Security will update this profile as more intelligence becomes available.

Alleged Data Exposure

According to the leak site, the alleged breach involves CourtSmart’s primary domain (courtsmart.com) and a development server (dev-rich20.courtsmart.com). The group also references connections to JIS.org (potentially the Justice Information System) and nashville.org (likely the City of Nashville, Tennessee). The specific types of data claimed to be exfiltrated have not been detailed, but given CourtSmart’s role as a court technology provider, potential data categories could include court case management systems, internal communications, development source code, or configuration files. The inclusion of a dev server suggests that proprietary software or internal tools may be at risk. However, without data samples or a confirmed data volume, these remain speculative.

Potential Impact

If the claim is verified, the impact on CourtSmart could be significant. As a court technology company, CourtSmart likely handles sensitive judicial data, including case filings, court schedules, and potentially personally identifiable information (PII) of litigants, attorneys, and court personnel. Exposure of such data could lead to legal liability, regulatory scrutiny, and reputational damage. The alleged connections to JIS.org and nashville.org raise concerns about third-party risk, as compromised credentials or network access could cascade to partner organizations. Additionally, the development server compromise may expose intellectual property or internal tools, potentially enabling future attacks or data manipulation.

What to Watch For

Yazoul Security recommends monitoring for the following indicators:

• Any public release of data samples by Bavacai, which would increase the credibility of the claim.
• Unusual network activity from IP addresses associated with the dev server or partner domains.
• Phishing attempts targeting CourtSmart employees or partners, as leaked credentials may be used for follow-on attacks.
• Updates from CourtSmart’s official channels regarding incident response or regulatory notifications.
• Any YARA rules or detection signatures published for Bavacai, which would aid in threat hunting.

Disclaimer

This report is based solely on an unverified claim posted by the ransomware group Bavacai on their leak site. Yazoul Security has not independently confirmed the breach, the data exfiltration, or the group’s operational capabilities. Ransomware groups routinely exaggerate or fabricate claims to pressure victims into ransom payments. All information herein should be treated as intelligence leads requiring further validation. No PII, download links, data samples, credentials, or .onion URLs are provided in this report. Organizations should consult with their legal and cybersecurity teams before taking any action based on this information.