KawaLocker, also referred to as KAWA4096, is a ransomware family first reported in June 2025 and initially uncovered by Trustwave SpiderLabs. It has been described as the ransomware used by the KAWA4096 group, with reported targeting that includes organizations in the United States and Japan; multiple sources specifically note activity against Japanese companies and broader industrial/manufacturing victimology in 2025 reporting. Public reporting cited in the content states the group had targeted at least 11 companies, and separate Japan-focused reporting says Kawa4096 attacked at least two Japanese companies.
The malware supports configurable encryption behavior via a configuration file loaded from the PE resource section using FindResourceW. Reported configuration items include file extensions, directories and folders to exclude from encryption, processes and services to terminate, and commands to execute. KawaLocker supports multithreaded execution and can encrypt shared network drives. It also supports command-line arguments for multithreaded execution, directory-specific encryption, and memory dump creation. Cisco-referenced reporting states it uses the Salsa20 stream cipher with chunking based on file size for performance. A later KawaLocker 2.0 variant observed in late July 2025 reportedly added a new ransom note and a hide_name flag for filename obfuscation.
Observed behavior includes creating custom file extensions and icons for encrypted files and registering them in the Windows registry. In one Huntress-observed August 2025 intrusion, encrypted files used the .AAE564FDD extension. KawaLocker drops ransom notes named !!Restore-My-file-Kavva.txt according to Japan-focused reporting, while Huntress recovered a ransom note named !!Restore-My-file-K1Vva.txt in a live incident. The ransom note in that incident contained the contact email kawa4096@onionmail[.]org. Reporting also states the ransom note threatens publication of stolen data and specifies stolen data types, indicating double-extortion tactics.
Post-encryption and anti-recovery behavior directly attributed to KawaLocker includes deletion of Volume Shadow Copies, clearing of Windows event logs, and possible self-deletion. Trustwave reported that shadow copy deletion, log clearing, and self-deletion commands are embedded in the ransomware executable. In the Huntress case, the actor executed the ransomware as e.exe -d="E:\", after which Volume Shadow Copies were deleted with vssadmin.exe delete shadows /all /quiet, Security/System/Application logs were cleared with wevtutil, and the ransomware self-deleted via a delayed delete command.
A Huntress investigation documented one intrusion in which initial access was obtained via Remote Desktop Protocol using a compromised account. The actor used tasklist.exe piped through find to identify security tooling, deployed kill.exe and HRSword, and installed signed kernel drivers sysdiag.sys and hrwfpdr.sys associated in the reporting with Beijing Huorong Network Technology Co., Ltd. The actor then used Advanced Port Scanner for enumeration and PsExec plus a host list file (1.txt) to push a batch file to additional systems. That batch file enabled RDP by setting Terminal Server fDenyTSConnections to 0 and disabled the firewall with netsh firewall set opmode disable, likely to facilitate further manual deployment or future access. Huntress noted HRSword usage and shadow copy deletion as useful detection breadcrumbs.
The content notes superficial similarities between KawaLocker/KAWA4096 and other ransomware brands: its leak site resembles Akira’s and its ransom note is nearly identical to Qilin’s, though Trustwave assessed these similarities were likely for visibility rather than evidence of direct collaboration. Reported indicators from the Huntress incident include ransomware executable e.exe SHA256 e4fb852fed532802aa37988ef9425982d272bc5f8979c24b25b620846dac9a23; HRSword executable s.exe SHA256 ecca86e9b79d5a391a433d8d782bf54ada5a9ee04038dbaf211e0f087b5dad52; hrwfpdrv/sys-related driver SHA256 01a3dabb4684908082cb2ac710d5d42afae2d30f282f023d54d7e945ad3272f5; sysdiag.sys SHA256 11b262c936ffa8eb83457efd3261578376d49d6e789c7c026f1fa0b91929e135; and kill.exe SHA256 db8f4e007187795e60f22ee08f5916d97b03479ae70ad95ad227c57e20241e9d.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
16 distinct techniques documented for this family, organized by ATT&CK tactic.
On August 8, we saw a threat actor accessing the victim’s endpoint via Remote Desktop Protocol (RDP), using a compromised account.
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
The kernel drivers installed as part of the threat actor’s tooling, sysdiag.sys and hrwfpdr.sys, were installed and later removed using a batch file that employed the Service Control Manager, sc.exe. Service Control Manager commands such as sc start <driver>, sc stop <driver>, and sc delete <driver> were observed in EDR telemetry.
On August 8, we saw a threat actor accessing the victim’s endpoint via Remote Desktop Protocol (RDP), using a compromised account.
The kernel drivers installed as part of the threat actor’s tooling, sysdiag.sys and hrwfpdr.sys, were installed and later removed using a batch file that employed the Service Control Manager, sc.exe. Service Control Manager commands such as sc start <driver>, sc stop <driver>, and sc delete <driver> were observed in EDR telemetry.
Early in their logon session, the threat actor had run advanced_port_scanner.exe, likely as a means of enumeration of devices and services within the infrastructure. From this, it appeared that a list of host names was saved to a file named 1.txt.
Early in their logon session, the threat actor had run advanced_port_scanner.exe, likely as a means of enumeration of devices and services within the infrastructure.
After disabling what they saw as security tools that would pose an obstacle to their efforts, the threat actor ran the following command: PsExec.exe -h @1.txt -d -c "\\[REDACTED]\1.bat"
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Low-volume ransomware brand referenced as part of the long-tail of operators.
KAWA4096 is a new ransomware variant that entered the top variants in Q3 2025, accounting for 4% of observed attacks.
Newly reported ransomware strain; reporting notes visual similarity between its leak site and Akira’s leak site (possible imitation vs. linkage).
Mentioned as a newer ransomware family for context; no technical details provided in the content.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.