Kawa4096 Ransomware Targets Multinational Corporations with Double Extortion and Data Leaks

In June 2025, the ransomware group Kawa4096 surfaced, targeting multinational corporations across industries like finance, education, and services in countries including Japan and the U.S. The group operates a Tor-based data leak site and uses a double extortion tactic, stealing data before encrypting files and threatening public leaks. Each victim receives a unique claim URL, indicating organized negotiation management.

Kawa4096’s malware features include self-reexecution with parameters to control encryption scope, a mutex to prevent multiple instances, and resource-embedded settings that define encryption exclusions and processes to terminate before encryption. It uses partial encryption with Salsa20 to speed up attacks while corrupting files effectively. The ransom note mimics Qilin ransomware, warning victims of data leaks and providing Tor and QTOX contact details.

To block recovery, Kawa4096 deletes all volume shadow copies via WMI commands. Security firm AhnLab has added multiple detections for this ransomware, including behavioral alerts through its EDR solutions, helping enterprises identify and respond to Kawa4096 attacks.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security