KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles

Description

KAWA4096, a new ransomware that emerged in June 2025, has claimed at least 11 victims, primarily targeting the United States and Japan. The malware features a leak site mimicking the Akira ransomware group's style and a ransom note format similar to Qilin's. KAWA4096 employs multithreading, semaphores for synchronization, and can encrypt files on shared network drives. It terminates specific services and processes, deletes shadow copies, and utilizes a configuration loaded from its binary. The ransomware's encryption process involves file scanning, skipping certain files and directories, and using a shared queue for efficient processing. It also changes file icons and can modify the desktop wallpaper. The group's tactics appear to be aimed at boosting visibility and credibility by imitating established ransomware operations.