Kawa4096 Ransomware: Leveraging Brand Mimicry for Psychological Impact
Summary:
Emerging in June 2025, the new ransomware group Kawa4096 is quickly becoming a significant threat, targeting large multinational corporations in the finance, education, and services industries across countries such as Japan and the United States. While its operational model is not yet confirmed to be RaaS, the group's rapid activity suggests a highly organized structure. Kawa4096 employs a double extortion tactic with their ransomware. They use a Tor network data leak site to publicly disclose victim information, and they provide a unique onion site address for each victim to manage their data.
The group's ransomware automatically initiates a full-system encryption if executed without specific command-line arguments. It also uses a mutex named 'SAY_HI_2025' to prevent multiple instances from running simultaneously, ensuring a single, controlled execution. The ransomware's behavior is guided by embedded configuration data, which is read using APIs like LoadResource to specify various fields (files, extensions, and processes) to exclude or terminate. For large files, Kawa4096 uses a partial encryption method, encrypting only a portion of each file to accelerate the process and maximize the number of affected files. This is achieved by dividing files into 64 KB chunks and encrypting a specific percentage, such as strong 25% partial encryption of the chunks in files larger than 10 MB, while smaller files are often fully encrypted. Notably, the ransom note, named !!Restore-My-file-Kavva.txt, is nearly identical in content and format to that of the Qilin ransomware group. The contact information provided in the note is a Tor onion address and a QTOX ID for negotiation. Additionally, the web design of Kawa4096's leak site resembles that of the Akira ransomware group, suggesting either a direct link, rebranding, or a strategic imitation to leverage what works for some of the top groups in the ransomware landscape.
Security Officer Comments:
The Kawa4096 group’s use of a mutex, partial encryption, and automated full-system encryption reinforces the idea that they focus on maximizing speed and impact. The similarities in their leak site design to Akira and their ransom note to Qilin could be a design choice to borrow the prolific groups’ reputation and appear more credible to their victims. The group's rapid and widespread activity indicates the Kawa4096 group is a significant new threat, with potentially experienced operators, that deserves to be tracked closely to learn more.
Suggested Corrections:
IOCs are available here.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://asec.ahnlab.com/en/90207/
Emerging in June 2025, the new ransomware group Kawa4096 is quickly becoming a significant threat, targeting large multinational corporations in the finance, education, and services industries across countries such as Japan and the United States. While its operational model is not yet confirmed to be RaaS, the group's rapid activity suggests a highly organized structure. Kawa4096 employs a double extortion tactic with their ransomware. They use a Tor network data leak site to publicly disclose victim information, and they provide a unique onion site address for each victim to manage their data.
The group's ransomware automatically initiates a full-system encryption if executed without specific command-line arguments. It also uses a mutex named 'SAY_HI_2025' to prevent multiple instances from running simultaneously, ensuring a single, controlled execution. The ransomware's behavior is guided by embedded configuration data, which is read using APIs like LoadResource to specify various fields (files, extensions, and processes) to exclude or terminate. For large files, Kawa4096 uses a partial encryption method, encrypting only a portion of each file to accelerate the process and maximize the number of affected files. This is achieved by dividing files into 64 KB chunks and encrypting a specific percentage, such as strong 25% partial encryption of the chunks in files larger than 10 MB, while smaller files are often fully encrypted. Notably, the ransom note, named !!Restore-My-file-Kavva.txt, is nearly identical in content and format to that of the Qilin ransomware group. The contact information provided in the note is a Tor onion address and a QTOX ID for negotiation. Additionally, the web design of Kawa4096's leak site resembles that of the Akira ransomware group, suggesting either a direct link, rebranding, or a strategic imitation to leverage what works for some of the top groups in the ransomware landscape.
Security Officer Comments:
The Kawa4096 group’s use of a mutex, partial encryption, and automated full-system encryption reinforces the idea that they focus on maximizing speed and impact. The similarities in their leak site design to Akira and their ransom note to Qilin could be a design choice to borrow the prolific groups’ reputation and appear more credible to their victims. The group's rapid and widespread activity indicates the Kawa4096 group is a significant new threat, with potentially experienced operators, that deserves to be tracked closely to learn more.
Suggested Corrections:
IOCs are available here.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://asec.ahnlab.com/en/90207/