SIT Group Ransomware Attack by Bavacai (May 2026)

Claim Summary

The ransomware group Bavacai has allegedly claimed responsibility for a cyberattack against Italian business services firm SIT Group (sitgroup.it) and its Bulgarian subsidiary, Robusta (robusta.bg). The claim was posted on the group’s leak site on May 5, 2026, with the threat actor asserting that they have exfiltrated data from both entities. The group also claims to have accessed email accounts associated with the abv.bg domain, which is a popular Bulgarian email provider. No specific data volume or sample has been provided to substantiate the claim, and Yazoul Security has not independently verified any of these assertions.

Threat Actor Profile

Bavacai is a relatively obscure ransomware group with no publicly known track record of successful attacks or established tools and tactics. There is no public research, YARA rules, or detection guidance available for this group, which raises significant credibility concerns. The group’s operational security (OPSEC) appears minimal, as they have not disclosed any technical details about the attack vector, encryption methods, or ransom demands. Without a history of verified breaches, it is plausible that Bavacai is either a new entrant in the ransomware ecosystem or a rebranded operation seeking to build notoriety. Yazoul Security analysts note that the lack of a known victim database or public research suggests this group may be operating at a low scale or relying on unsubstantiated claims to pressure victims.

Alleged Data Exposure

According to the leak site, Bavacai claims to have stolen data from SIT Group and Robusta, including unspecified files and emails from the abv.bg domain. The group has not released any data samples, screenshots, or proof-of-compromise to support their claims. The absence of verifiable evidence is a common tactic among low-credibility groups to create fear without incurring the legal or operational risks of leaking actual data. Yazoul Security advises that until such evidence is produced, the claim should be treated with extreme skepticism. The mention of abv.bg emails may indicate a phishing or credential-harvesting component, but this remains unconfirmed.

Potential Impact

If the claim is verified, the potential impact on SIT Group and Robusta could include:

• Operational disruption: Business services firms rely on data integrity for client contracts and communications. A breach could lead to service delays or reputational damage.
• Data confidentiality: Exposure of internal emails, client data, or financial records could result in regulatory penalties under GDPR, given the Italian and Bulgarian operations.
• Supply chain risk: SIT Group’s clients may face secondary risks if their data was compromised.

However, given the lack of evidence, the actual risk remains low until further details emerge. The group’s unknown track record suggests that this may be a bluff or a low-sophistication attack.

What to Watch For

• Proof of data: Monitor for any data samples or screenshots released by Bavacai. If none appear within 48-72 hours, the claim is likely false.
• Industry reporting: Check for updates from Italian and Bulgarian cybersecurity authorities or CERTs.
• Email security: Organizations using abv.bg should review for unusual login attempts or phishing campaigns.
• YARA rules: No detection guidance exists for Bavacai, but Yazoul Security will update this report if YARA rules become available.

Disclaimer

This report is based on unverified claims from a ransomware group’s leak site. Yazoul Security has not independently confirmed any data breach, data exfiltration, or system compromise. Ransomware groups frequently exaggerate or fabricate claims to pressure victims. Do not take any action based solely on this information. For official guidance, contact SIT Group directly. For more intelligence, visit Yazoul Security’s intel section at /intel/.