Ransomware activity has shown no signs of abating in 2025, as threat intelligence experts at SpiderLabs uncover an aggressive newcomer: KAWA4096.
Emerging in June, this advanced ransomware has quickly claimed at least 11 known victims, primarily targeting organizations in the United States and Japan.
Heat maps and attack telemetry compiled by SpiderLabs confirm these regions as epicenters, with several attacks remaining undisclosed on public leak sites, illustrating the group’s opaque operations and potentially growing victim count.
Sophisticated Multi-Threaded Attacks
KAWA4096 stands out for its technical capabilities and focus on maximizing disruption.
The ransomware leverages modern techniques, such as exploiting Windows Management Instrumentation (WMI) for the deletion of shadow copies a core step in ensuring victims cannot easily recover their encrypted files.
This is achieved by executing commands like vssadmin.exe Delete Shadows /all /quiet and wmic shadowcopy delete /nointeractive, effectively wiping backup snapshots from infected systems.
Furthermore, KAWA4096 employs a configuration-driven model, loading its behavioral parameters within the binary using the LoadResource API.
This config governs files, directories, and services to exclude or focus on, tailoring the attack for each execution.
The ransomware demonstrates an advanced emphasis on persistence and concurrency. It spawns a mutex (“SAY_HI_2025”) to prevent multiple instances from running, then creates up to 10 threads for simultaneous file encryption using semaphores to synchronize these threads.
This parallel processing accelerates the encryption process while maintaining system stability, and ensures that shared network drives are included, broadening the ransomware’s impact. Notably, KAWA4096 takes substantial measures to avoid detection and interference.
Its configuration-driven lists of processes and services targeted for termination encompass antivirus programs, backup solutions (like Veeam and Acronis), SQL services, and SAP systems.
Through constant monitoring, the ransomware’s dedicated thread seeks and terminates processes that could obstruct or remediate its operation, even including endpoints like TeamViewer and QuickBooks.
Technique Overlap with Qilin and Akira
In terms of file targeting, KAWA4096 skips the encryption of specific extensions (such as .exe, .dll, .sys, etc.) and system-critical folders or files, ensuring the infected environment remains operational enough to receive the ransom note, but not to recover data.
Partial encryption and the ability to change the victim’s desktop wallpaper further highlight its sophisticated approach.
Mimicry is also evident in KAWA4096’s social engineering; the ransom note closely replicates Qilin’s format, while its data leak site design is nearly indistinguishable from Akira’s down to the green-on-black terminal styling.
These deliberate choices may aim to reinforce credibility or sow confusion among investigators and victims alike.
No clear evidence yet links KAWA4096 to pre-existing ransomware groups, but the observable overlaps in techniques and presentation suggest at least a high degree of technical familiarity with established threat actors.
Organizations are urged to monitor for the distinct behaviors identified in this analysis and employ robust endpoint protection, backup strategies, and proactive threat hunting services.
According to the Report, Trustwave’s detection suite and SpiderLabs services now include rules for identifying the hallmark evasion and impact techniques associated with KAWA4096.
In-depth threat hunting and rapid response capabilities become ever more indispensable as ransomware families multiply and adapt.
Indicators of Compromise (IOC)
| Name | Type | SHA-1 | SHA-256 | MD5 |
|---|---|---|---|---|
| C3CE46D40.exe | Win64 EXE | bd30c87774c083a1003c0b9fb0a922b702302272 | f3a6d4ccdd0f663269c3909e74d6847608b8632fb2814b0436a4532b8281e617 | c3ce46d40b2893e30bf00fce72c2e1fa |
| kawa.exe | Win64 EXE | b8c32444ceef027fb65d9cf1c823ad3c9c59acea | fadfef5caf6aede2a3a02a856b965ed40ee189612fa6fde81a30d5ed5ee6ae7d | 64756bf452baa4da411e3a835c08d884 |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
