Threat Research

Kawabunga, Dude, You’ve Been Ransomed!

Huntress
Kawabunga, Dude, You’ve Been Ransomed!

Huntress observed a KawaLocker (KAWA4096) ransomware incident where the attacker gained RDP access, used HRSword and other tools to disable security software and then deployed KawaLocker against the E: volume. Detection breadcrumbs included HRSword activity, deletion of Volume Shadow Copies, and specific file hashes and filenames that identify the incident. #KawaLocker #HRSword

Keypoints

  • Threat actor gained initial access via Remote Desktop Protocol (RDP) using a compromised account.
  • Attacker ran HRSword and kill.exe to enumerate, monitor, and disable security tooling, causing security services to crash.
  • Kernel drivers sysdiag.sys and hrwfpdr.sys (signed by Beijing Huorong Network Technology Co., Ltd.) were installed and removed via sc.exe commands.
  • Attacker used advanced_port_scanner.exe and saved hostnames to 1.txt, then used PsExec with a batch file to enable RDP and disable the firewall on additional hosts.
  • KawaLocker (e.exe) was executed targeting the E: volume; ransom note referenced kawa4096@onionmail[.]org and used extension .AAE564FDD.
  • Post-encryption actions included deleting Volume Shadow Copies, clearing Windows event logs, and self-deletion of the ransomware executable.
  • Huntress response prevented lateral access and further impact; HRSword usage and shadow copy deletion are useful detection breadcrumbs.

MITRE Techniques

  • [T1021.001] Remote Services: RDP – Initial access via Remote Desktop Protocol using a compromised account (“accessing the victim’s endpoint via Remote Desktop Protocol (RDP), using a compromised account”).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Execution of commands and batch files to run HRSword, deploy tools, and enable RDP (“C:WindowsSystem32cmd.exe /c @pushd … & CALL …HRSword.bat”).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Registry modification to enable Terminal Services (“REG ADD HKLMSYSTEMCurrentControlSetControlTerminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f”).
  • [T1105] Ingress Tool Transfer – Use of PsExec to copy and execute a batch file on multiple hosts (“PsExec.exe -h @1.txt -d -c “[REDACTED]1.bat””).
  • [T1490] Inhibit System Recovery – Deletion of Volume Shadow Copies using vssadmin (“vssadmin.exe delete shadows /all /quiet”).
  • [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – Clearing Security, System, and Application event logs (“wevtutil cl security | wevtutil cl system | wevtutil cl application”).
  • [T1218] Signed Binary Proxy Execution – Use of signed system utilities (tasklist.exe, sc.exe, PsExec.exe, vssadmin.exe, wevtutil) to perform malicious actions (“tasklist.exe piped through a find command … sc start , sc stop , and sc delete …”).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Deployment of kill.exe and other tools to disable security tooling (“deployed kill.exe and HRSword … deploying tools to disable those security tools”).

Indicators of Compromise

  • [File extension] Encrypted file extension – .AAE564FDD
  • [Ransom note] Ransom note filename and contact – !!Restore-My-file-K1Vva.txt, email kawa4096@onionmail[.]org
  • [Executable hash] Ransomware executable – e.exe SHA256: e4fb852fed532802aa37988ef9425982d272bc5f8979c24b25b620846dac9a23
  • [Executable hash] HRSword executable – s.exe SHA256: ecca86e9b79d5a391a433d8d782bf54ada5a9ee04038dbaf211e0f087b5dad52
  • [Driver hash] HRSword drivers – hrwfpdrv.sys SHA256: 01a3dabb4684908082cb2ac710d5d42afae2d30f282f023d54d7e945ad3272f5, sysdiag.sys SHA256: 11b262c936ffa8eb83457efd3261578376d49d6e789c7c026f1fa0b91929e135
  • [Executable hash] Process-killing tool – kill.exe SHA256: db8f4e007187795e60f22ee08f5916d97b03479ae70ad95ad227c57e20241e9d

Read more: https://www.huntress.com/blog/kawalocker-ransomware-deployed