Skip to content
Ransomware group

KawaLocker

KawaLocker, also referred to as KAWA4096, is a ransomware family first reported in June 2025 and initially uncovered by Trustwave SpiderLabs.

Profile source: Mallory opens in a new tab

KawaLocker

Family profile

KawaLocker, also referred to as KAWA4096, is a ransomware family first reported in June 2025 and initially uncovered by Trustwave SpiderLabs. It has been described as the ransomware used by the KAWA4096 group, with reported targeting that includes organizations in the United States and Japan; multiple sources specifically note activity against Japanese companies and broader industrial/manufacturing victimology in 2025 reporting. Public reporting cited in the content states the group had targeted at least 11 companies, and separate Japan-focused reporting says Kawa4096 attacked at least two Japanese companies.

The malware supports configurable encryption behavior via a configuration file loaded from the PE resource section using FindResourceW. Reported configuration items include file extensions, directories and folders to exclude from encryption, processes and services to terminate, and commands to execute. KawaLocker supports multithreaded execution and can encrypt shared network drives. It also supports command-line arguments for multithreaded execution, directory-specific encryption, and memory dump creation. Cisco-referenced reporting states it uses the Salsa20 stream cipher with chunking based on file size for performance. A later KawaLocker 2.0 variant observed in late July 2025 reportedly added a new ransom note and a hide_name flag for filename obfuscation.

Observed behavior includes creating custom file extensions and icons for encrypted files and registering them in the Windows registry. In one Huntress-observed August 2025 intrusion, encrypted files used the .AAE564FDD extension. KawaLocker drops ransom notes named !!Restore-My-file-Kavva.txt according to Japan-focused reporting, while Huntress recovered a ransom note named !!Restore-My-file-K1Vva.txt in a live incident. The ransom note in that incident contained the contact email kawa4096@onionmail[.]org. Reporting also states the ransom note threatens publication of stolen data and specifies stolen data types, indicating double-extortion tactics.

Post-encryption and anti-recovery behavior directly attributed to KawaLocker includes deletion of Volume Shadow Copies, clearing of Windows event logs, and possible self-deletion. Trustwave reported that shadow copy deletion, log clearing, and self-deletion commands are embedded in the ransomware executable. In the Huntress case, the actor executed the ransomware as e.exe -d="E:\\", after which Volume Shadow Copies were deleted with vssadmin.exe delete shadows /all /quiet, Security/System/Application logs were cleared with wevtutil, and the ransomware self-deleted via a delayed delete command.

A Huntress investigation documented one intrusion in which initial access was obtained via Remote Desktop Protocol using a compromised account. The actor used tasklist.exe piped through find to identify security tooling, deployed kill.exe and HRSword, and installed signed kernel drivers sysdiag.sys and hrwfpdr.sys associated in the reporting with Beijing Huorong Network Technology Co., Ltd. The actor then used Advanced Port Scanner for enumeration and PsExec plus a host list file (1.txt) to push a batch file to additional systems. That batch file enabled RDP by setting Terminal Server fDenyTSConnections to 0 and disabled the firewall with netsh firewall set opmode disable, likely to facilitate further manual deployment or future access. Huntress noted HRSword usage and shadow copy deletion as useful detection breadcrumbs.

The content notes superficial similarities between KawaLocker/KAWA4096 and other ransomware brands: its leak site resembles Akira’s and its ransom note is nearly identical to Qilin’s, though Trustwave assessed these similarities were likely for visibility rather than evidence of direct collaboration. Reported indicators from the Huntress incident include ransomware executable e.exe SHA256 e4fb852fed532802aa37988ef9425982d272bc5f8979c24b25b620846dac9a23; HRSword executable s.exe SHA256 ecca86e9b79d5a391a433d8d782bf54ada5a9ee04038dbaf211e0f087b5dad52; hrwfpdrv/sys-related driver SHA256 01a3dabb4684908082cb2ac710d5d42afae2d30f282f023d54d7e945ad3272f5; sysdiag.sys SHA256 11b262c936ffa8eb83457efd3261578376d49d6e789c7c026f1fa0b91929e135; and kill.exe SHA256 db8f4e007187795e60f22ee08f5916d97b03479ae70ad95ad227c57e20241e9d.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Sha256

1 total
  • f3a6d4ccdd0f663269c3909e74d6847608b8632fb2814b0436a4532b8281e617

Tox

1 total
  • 6A340207246B47E37F6D094D2236E5C6242B6E4461EEF8021FED2C9855240C3E11AEE886FAAF

Email

1 total
  • kawa4096@onionmail.org

MITRE ATT&CK

KawaLocker in ATT&CK

16 distinct techniques

Reporting

Research mentioning KawaLocker

Dec 9
Dragos

Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos

“Lower-volume Groups… including … Kawa4096… recorded 2–4 incidents…”

Oct 24
Coveware

Insider Threats Loom while Ransom Payment Rates Plummet

KAWA4096...4% market share, new in top variants.

Sep 22
Risky Biz Rss

Risky Bulletin: Cyberattack disrupts airports across Europe

"KawaLocker ransomware: AhnLab has spotted a new ransomware strain named KawaLocker, or KAWA4096."

Aug 21
Huntress

Cephalus Ransomware: Don’t Lose Your Head | Huntress

"Recently, we’ve seen a slew of newer ransomware families (like Crux ... and KawaLocker ...)"

Aug 19
Talos Intelligence

Ransomware incidents in Japan during the first half of 2025

The ransomware used by this group, shown in Figure 6, utilizes the FindResourceW API to load a configuration file from the resource section, as illustrated in Figure 7. The configuration file defines items such as file extensions, directories and specific folders to exclude from encryption; processes and services to terminate; and commands to execute.

Aug 17
Risky Biz Rss

Risky Bulletin: Academics pull off novel 5G attack

KawaLocker ransomware: Huntress has spotted a new ransomware strain named KawaLocker, or KAWA4096.

Aug 14
Dragos

OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos

“Newly identified ransomware groups… Kawa4096…”

Aug 14
Huntress

Kawabunga, Dude, You’ve Been Ransomed! | Huntress

Huntress analysts recently observed an incident where a newer ransomware variant, KawaLocker (also known as KAWA4096) ransomware, was deployed.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.