Kawa4096 Ransomware: Leveraging Brand Mimicry for Psychological Impact
In June 2025, a new ransomware group known as Kawa4096 emerged, targeting multinational organizations across various sectors, including finance, education, and services. Their attacks have affected companies in multiple countries, notably Japan and the United States. Although there is currently no public information confirming whether they operate as a Ransomware-as-a-Service (RaaS) or collaborate with other threat groups, Kawa4096 is quickly gaining attention for its rapid and widespread activity.
1. Overview
An analysis of the operating methods and characteristics of the Kawa4096 threat group reveals a structured and systematic approach. They maintain a data leak site on the Tor network, where they publicly disclose information about their victims. Evidence suggests they use a double extortion tactic—exfiltrating data before encrypting it during an attack. Each victim is provided with a dedicated claim URL to manage data access, further indicating an organized infrastructure. However, there is currently no specific information available regarding the range of ransom demands or their negotiation practices. One intriguing point from correlation analysis is the visual similarity between Kawa4096’s leak site and that of the Akira ransomware group. Akira is known for its retro-style Tor site, reminiscent of 1980s green-screen consoles, featuring a command-line interface. While this resemblance could imply a direct connection or rebranding effort, it may also be a case of design imitation. It’s worth noting that new ransomware groups often adopt branding elements from notorious predecessors to amplify psychological pressure—instilling fear and perceived credibility in victims. This tactic can enhance the effectiveness of extortion by leveraging the reputation of established threat actors.
Figure 1. Data leak site of Kawa4096 ransomware
2. Analysis
2.1. Initial Routine
A notable characteristic of the Kawa4096 ransomware is its behavior when executed without any command-line arguments. In such cases, it automatically appends the -all argument to itself and restarts. Upon restarting with the -all argument, it initiates the full encryption process, targeting all basic files designated for encryption.
Figure 2. Execution options of Kawa4096 ransomware
Encryption options and behaviors:
- -d=<directory>: Encrypts only the specified directory.
- -all: Encrypts all files designated as encryption targets.
- -dump: Uses the MiniDumpWriteDump API to create a .dmp file in the directory where the ransomware is executed, containing crash-related information.
The Kawa4096 ransomware creates a mutex named ‘SAY_HI_2025’ using the CreateMutexA API to prevent multiple instances from running simultaneously. This mechanism ensures the ransomware executes only once per host, avoiding potential conflicts or performance issues caused by repeated encryption of the same files. If the mutex already exists, the ransomware immediately terminates to prevent duplicate execution.
Figure 3. ‘SAY_HI_2025’ mutex code
Next, the ransomware reads configuration data embedded in the resource section of the executable using APIs such as LoadResource and FindResourceW, which determines its behavior. The configuration includes various fields such as exclusions for encryption (extensions, directories, files), designated directories for encryption, and lists of processes and services to terminate. These details will be explained more thoroughly in the following chapter, “Preparation for Encryption.”
2.2. Encryption Preparation
Out of total 17 fields identified in the configuration value of the ransomware’s resource section analyzed in the original report, 5 fields will be covered below. For a detailed description of each field, please refer to the original report.
| XML Element | Description and Example |
| skip_exts value |
Encryption Exclusion Rule – List of File Extensions to Exclude Files with the following extensions are excluded from encryption. This is to maintain system stability and accessibility by avoiding the encryption of critical files such as executables, drivers, system files, and shortcuts. Examples include: .ani, .cab, .dll, .ico, .lnk, .scr, .sys, .exe, .bat, .cmd, and many others. |
| skip_dirs value |
Encryption Exclusion Rule – List of Directories to Exclude The listed directories are skipped during recursive file scanning. While encryption is still performed elsewhere, these exclusions help avoid damaging the operating system or critical applications, preserving system functionality and ensuring the system remains in a negotiable state. Examples include: All Users, PerfLogs, Program Files (x86), Program Files, and many others. |
| skip_files value |
Encryption Exclusion Rule – List of File Names to Exclude Files with specific file names are excluded from encryption. This is likely intended to protect critical system files related to user profiles, boot processes, and auto-run functionality, thereby avoiding scenarios where the system becomes unbootable. Examples include: boot.ini, desktop.ini, bootmgr, thumbs.db, autorun.inf, and many others. |
| specify_dirs enable, value |
Restriction of Encryption Scope This option restricts encryption to only the specified directories. When enable = “0”, the restriction is disabled, and the ransomware performs global scanning across both local and network drives. Although the value field contains paths that appear to target SQL Server directories—suggesting a potential focus on database data—this functionality is currently inactive due to the enable = “0” setting. <specify_dirs enable=”0″ value=”C:\\Program Files (x86)\\Microsoft SQL Server;C:\\Program Files\\Microsoft SQL Server;” /> |
| kill_process value |
Pre-Encryption Cleanup – List of Processes to Terminate Processes are terminated prior to encryption. The goal is to unlock files, interrupt backups, and disable monitoring or recovery mechanisms. Examples include: sqlservr.exe, excel.exe, firefox.exe, notepad.exe, outlook.exe, powerpnt.exe, winword.exe, wordpad.exe, and many others. |
Table 1. Part of settings and descriptions in the ransomware’s resource section
2.3. File Encryption
Kawa4096 selects the extensions and directories that match the configuration during the execution process and excludes system files and crucial files from the encryption targets. It also adopts the partial encryption option. This option can be found in the configuration file as <partial value=”25” />. It encrypts only parts of each file instead of the entire file to significantly increase the encryption speed and efficiency. Encrypting large files in full can be time-consuming, so by encrypting only parts of each file, the ransomware aims to maximize the number of files it can affect within a short time. Furthermore, for file types such as documents, databases, and compressed archives, even partial corruption—especially in areas like headers or indexes—can render the files unusable (cannot be opened or executed). This allows the ransomware to achieve its intended system disruptive effect without needing to fully encrypt every file.
Kawa4096 uses a chunk-based encryption logic. For example, it divides a file into 64 KB chunks (0x10000 bytes) and encrypts only 25% of the chunks. Typically, strong partial encryption is applied to files larger than 10 MB, and full or weak partial encryption is applied to files smaller than 10 MB. When the number of chunks is determined, it uses the Salsa20 stream cipher to perform the encryption. The encrypted file has an extension in the format of <original file name>.<extension>.<9-character random combination of letters and numbers>. It should be noted that the exact method may vary between samples of the published malware.
2.4. Ransom Note
The ransom note used by Kawa4096 shows a high degree of similarity to that of the Qilin ransomware. Both the content and format are nearly identical, informing victims of the attack and detailing the theft of sensitive data, the threat of public exposure (double extortion), and instructions for decryption and negotiation.
A ransom note named !!Restore-My-file-Kavva.txt is created in each encrypted folder as well as in the system root directory. The note includes contact information such as a Tor-based onion site address and a QTOX ID, urging victims to initiate negotiation or make payment. It also lists the types of stolen data—such as customer information, employee records, and financial data—and threatens to publicly disclose the incident if the ransom is not paid. As shown in the original report, there have been cases where customer information was disclosed.
Figure 4. Ransom note of Kawa4096 ransomware
2.5. Deleting Backup Data
The Kawa4096 ransomware triggers process execution with WMI’s Win32_Process:Create to run commands related to volume shadow copy. The following commands are used in this process.
- vssadmin.exe Delete Shadows /all /quiet: Deletes all shadow copies
- wmic shadowcopy delete /nointerface: Deletes shadow copies in batch through WMIC
Figure 5. Code to delete volume shadow copies by Kawa4096 ransomware
It is presumed that the threat actor intended to completely disable the victim’s backup recovery means to prevent them from attempting to recover their data.
3. AhnLab’s Response
The following are the detection names and engine date information of the AhnLab products.
3.1. V3 Detection
Ransomware/Win.KawaCrypt.C5774792 (2025.07.02.02)
Ransomware/Win.KawaCrypt.C5783637 (2025.07.30.03)
Ransomware/Win.KawaLocker.C5791069 (2025.08.22.02)
Ransom/MDP.Command.M1026 (2016.04.08.03)
Ransom/MDP.Decoy.M1171 (2016.07.15.02)
Ransom/MDP.Event.M1785 (2017.11.28.00)
3.2. EDR Detection
Suspicious/MDP.Behavior.M1961 (2018.11.06.02)
SystemManipulation/EDR.Event.M2592 (2022.03.31.00)
SystemManipulation/EDR.Event.M2486 (2022.07.09.00)
Ransom/EDR.Decoy.M2470 (2022.09.30.00)
Ransom/DETECT.T1486.M11751 (2024.06.04.02)
