KAWA4096 is a ransomware that emerged in June 2025, targeting countries like the United States and Japan, and features encryption of network shares and multithreading for efficient file encryption. Its data leak site mimics the Akira ransomware group while its ransom note resembles Qilin’s, aiming to boost its credibility and visibility. #KAWA4096 #Akira #Qilin
Keypoints
- KAWA4096 ransomware first appeared in June 2025 and has impacted at least 11 victims, focusing on the US and Japan.
- Its data leak site copies the design of the Akira ransomware group, and its ransom note format closely resembles that of Qilin ransomware.
- The ransomware uses semaphores for multithreaded synchronization and encrypts files on both local and shared network drives.
- KAWA4096 terminates various critical processes and services, including antivirus, backup, SQL servers, and SAP-related services, to maximize impact and evade detection.
- It deletes shadow copies via WMI commands to hinder recovery efforts by victims.
- The ransomware’s configuration is embedded within the binary, listing specific directories, files, and extensions to skip or target for encryption.
- KAWA4096 can modify the victim’s desktop wallpaper and change encrypted files’ icons to resemble the “SQL Monitor” icon.
MITRE Techniques
- [T1562] Impair Defenses – KAWA4096 deletes shadow copies using commands such as “vssadmin.exe Delete Shadows /all /quiet” and “wmic shadowcopy delete /nointeractive” to prevent recovery.
- [T1070] Indicator Removal on Host – The ransomware uses commands like “wevtutil cl Application” to clear event logs.
- [T1059] Command and Scripting Interpreter – It executes commands via cmd using “cmd.exe /C ping 127.0.0.1 -n 2 > nul && del /F ” to self-delete after encryption.
- [T1543] Create or Modify System Process – KAWA4096 uses Windows Service Control Manager APIs to terminate antivirus, backup, and database services to evade detection and maintain control.
- [T1204] User Execution – The ransomware re-executes itself with the “-all” parameter to trigger full encryption functionality.
- [T1486] Data Encrypted for Impact – It encrypts files on local and network drives using multithreading and semaphore synchronization to maximize encryption efficiency.
- [T1566] Phishing – Use of similar ransom notes and data leak site design as known groups may increase credibility and facilitate victim interaction.
Indicators of Compromise
- [File Hash] KAWA4096 sample executables – bd30c87774c083a1003c0b9fb0a922b702302272 (sha1 of C3CE46D40.exe), fadfef5caf6aede2a3a02a856b965ed40ee189612fa6fde81a30d5ed5ee6ae7d (sha256 of kawa.exe)
- [Domain] TOR data leak site – hxxp://kawasa2qo7345dt7ogxmx7qmn6z2hnwaoi3h5aeosupozkddqwp6lqqd[.]onion/
- [Email] Contact used for ransom negotiation – [email protected]
- [Executable Name] Observed malware filenames – C3CE46D40.exe, kawa.exe