Kawa4096 Ransomware Targets Multinational Corporations to Steal Sensitive Data

In June 2025, a previously unknown ransomware group dubbed Kawa4096 emerged, immediately drawing attention by targeting multinational organizations across diverse industries, including finance, education and services, in countries such as Japan and the United States.

While no public evidence confirms a Ransomware-as-a-Service (RaaS) model or partnerships with other cybercriminals, the group’s attacks in multiple countries within a brief window suggest a notably organized operation.

Kawa4096 operates a Tor-hosted data exfiltration portal where stolen files and victim details are displayed.

Unlike many ransomware actors that focus on narrow verticals, Kawa4096 has demonstrated indiscriminate targeting of large enterprises, emphasizing rapid data theft and encryption.

Their methodology follows a double extortion paradigm: data is exfiltrated prior to encryption, and victims are pressured with both file encryption and public data leaks. Each victim is assigned a unique claim URL, indicating centralized control and systematic tracking of negotiations.

Ransom demands and negotiation tactics remain undisclosed, but the existence of individualized payment portals implies tailored ransom quotes based on the volume and sensitivity of stolen data.

Analysis Contents

Kawa4096’s executable exhibits a self-reexecution feature: if launched without parameters, it relaunches with the -all argument to initiate full file encryption. Available execution options include:

• -d=<directory>: Encrypts the specified directory.
• -all: Encrypts all target files.
• -dump: Invokes MiniDumpWriteDump to generate a crash “.dmp” in the current folder.

A mutex named SAY_HI_2025 is created via CreateMutexA to prevent concurrent executions, ensuring only a single instance runs per host.

Duplicate launches detect the existing mutex and terminate immediately, avoiding redundant encryption tasks.

Following mutex creation, the executable reads resource-embedded settings using LoadResource and FindResourceW. These settings define encryption exclusions, target directories, and process termination lists, shaping the subsequent encryption phase.

Preparing for Encryption

The resource configuration comprises 17 fields; five critical elements include:

• skip_exts: Extensions excluded from encryption to preserve system stability (e.g., .exe, .dll, .sys, .lnk).
• skip_dirs: Directories omitted during traversal to avoid destroying core OS components (e.g., Program Files, All Users).
• skip_files: Specific filenames exempted to maintain bootability and user profile integrity (e.g., boot.ini, desktop.ini).
• specify_dirs: When enabled, restricts encryption to listed paths; currently disabled (enable=”0″), indicating a full network-wide file search.
• kill_process: Pre-encryption process termination list targeting common applications and database services (e.g., sqlservr.exe, excel.exe, firefox.exe) to unlock files and interrupt monitoring.

Kawa4096 implements partial encryption to accelerate file processing. Large files are divided into 64 KB chunks, of which only 25% are encrypted, corrupting headers or indexes to render files unusable while reducing encryption time.

Smaller files receive full or weak partial encryption depending on size thresholds. Salsa20 serves as the encryption cipher, and encrypted files are renamed using the pattern <original>.<ext>.<9 random chars>, balancing speed with destructive impact.

Ransom Note

The ransom note, !!Restore-My-file-Kavva.txt, mirrors Qilin ransomware format, issuing a double threat of encryption and public disclosure.

Placed in each encrypted folder and at the system root, the note lists stolen data types (customer, employee, financial records), provides a Tor onion URL and a QTOX ID for negotiation, and warns that leaked files may be published if ransoms remain unpaid.

Confirmed leaks include actual customer records, underscoring the potency of their extortion campaign.

To thwart recovery, Kawa4096 executes shadow copying commands via WMI:

textvssadmin.exe Delete Shadows /all /quiet
wmic shadowcopy delete /nointerface

These commands eradicate all volume shadow copies, impeding victims’ ability to restore from backups and reinforcing leverage for ransom payment.

AhnLab’s security products have incorporated detections for Kawa4096 under multiple signatures. V3 diagnostics flag variants as Ransomware/Win.KawaCrypt.C5774792 and Ransomware/Win.KawaLocker.C5791069 with engine updates in July and August 2025.

AhnLab EDR also recognizes behavior patterns and system manipulation events associated with this threat, ensuring enterprise customers receive alerts and remediation guidance for Kawa4096 incidents.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.