Threat Research

Kawa4096 Ransomware: Leveraging Brand Mimicry for Psychological Impact

Ahnlab
Kawa4096 Ransomware: Leveraging Brand Mimicry for Psychological Impact

Kawa4096 is a newly emerged ransomware group (June 2025) targeting multinational organizations across sectors like finance and education, operating a Tor data leak site and using double extortion to pressure victims. Their tooling includes partial (chunk-based) encryption with Salsa20, shadow-copy deletion, a mutex named ‘SAY_HI_2025’, and ransom notes similar to Qilin’s format. #Kawa4096 #Qilin

Keypoints

  • Kawa4096 surfaced in June 2025 and has targeted multinational organizations in multiple countries, notably Japan and the United States.
  • The group maintains a Tor-based data leak site with dedicated claim URLs and uses a double extortion approach (data exfiltration before encryption).
  • The ransomware automatically restarts with the -all argument if executed without arguments, then performs full encryption; it supports options like -d= and -dump.
  • Configuration is embedded in the executable’s resources and includes exclusions (skip_exts, skip_dirs, skip_files), specified directories, process kill lists, and a partial-encryption setting.
  • Files are encrypted using a chunk-based approach (e.g., 64 KB chunks) with partial encryption (example: 25% of chunks) and the Salsa20 stream cipher; encrypted files gain a 9-character random suffix.
  • Kawa4096 deletes volume shadow copies via vssadmin and WMIC commands to hinder recovery, and creates ransom notes (!!Restore-My-file-Kavva.txt) similar to Qilin’s format with Tor and QTOX contact details.
  • AhnLab has added multiple detections for Kawa4096 variants and listed MD5 hashes associated with analyzed samples.

MITRE Techniques

  • [T1490] Inhibit System Recovery – Deletes volume shadow copies using “vssadmin.exe Delete Shadows /all /quiet” and “wmic shadowcopy delete /nointerface” to prevent recovery (“…Deletes all shadow copies…”).
  • [T1486] Data Encrypted for Impact – Encrypts files using chunk-based partial encryption (e.g., 64 KB chunks, 25% of chunks) with the Salsa20 stream cipher to render files unusable (“…encrypts only parts of each file…”).
  • [T1036] Masquerading (branding imitation) – Uses ransom note content and Tor leak site design similar to Qilin/Akira to leverage perceived credibility and psychological pressure (“…similar to the Qilin ransom note…visual similarity between Kawa4096’s leak site and that of the Akira ransomware group…”).
  • [T1059] Command and Scripting Interpreter – Executes system commands via WMI Win32_Process:Create to run commands that delete shadow copies (“…triggers process execution with WMI’s Win32_Process:Create to run commands related to volume shadow copy…”).
  • [T1560] Archive Collected Data / T1041 Exfiltration Over C2 Channel (data exfiltration/double extortion) – Exfiltrates sensitive data prior to encryption and publishes it on a Tor-based leak site with dedicated claim URLs (“…exfiltrating data before encrypting it…data leak site on the Tor network…each victim is provided with a dedicated claim URL…”).
  • [T1204] User Execution (execution options) – Alters execution behavior when run without arguments by appending “-all” and restarting to perform encryption, indicating self-modifying execution flow (“…automatically appends the -all argument to itself and restarts…”).
  • [T1609] Container Image – Use of embedded configuration in resources (LoadResource/FindResourceW) to control behavior and exclusions (“…reads configuration data embedded in the resource section of the executable using APIs such as LoadResource and FindResourceW…”).
  • [T1033] System Owner/User Discovery (process termination) – Terminates processes (e.g., sqlservr.exe, outlook.exe) listed in its configuration to unlock files and disable backups/monitoring before encryption (“…Processes are terminated prior to encryption…Examples include: sqlservr.exe, excel.exe…”).

Indicators of Compromise

  • [File Hash – MD5] Sample malware hashes reported – 0bf4def902e36cc9174d89c14ec3dcac, 64756bf452baa4da411e3a835c08d884 (and 1 more hash).
  • [File Name] Ransom note and dropfile names – !!Restore-My-file-Kavva.txt (created in encrypted folders and system root).
  • [Registry/Mutex] Mutex name used by malware – ‘SAY_HI_2025’ (mutex created via CreateMutexA to prevent multiple instances).
  • [Command] Shadow copy deletion commands observed – vssadmin.exe Delete Shadows /all /quiet; wmic shadowcopy delete /nointerface (used to remove backups).
  • [Network/Leak Site] Tor-based data leak site and Tor contact addresses – dedicated claim URLs on a Tor leak site and included Tor onion address and QTOX ID in ransom notes.

Read more: https://asec.ahnlab.com/en/90207/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint