Kawabunga, Dude, You've Been Ransomed!

Aug. 15, 2025, 12:38 p.m.

Description

A new ransomware variant called KawaLocker (KAWA4096) was recently observed in an attack. The threat actor gained initial access via RDP using a compromised account and employed various tools to disable security measures. HRSword, a monitoring tool, was deployed along with kernel drivers sysdiag.sys and hrwfpdr.sys. The attacker used PsExec to enable RDP on additional endpoints. KawaLocker ransomware was then deployed against the E:\ volume, encrypting files and leaving a ransom note. Post-encryption, the attacker deleted Volume Shadow Copies, cleared Windows Event Logs, and removed the ransomware executable. The incident highlights the importance of detecting and remediating such attacks promptly.

External References

https://www.huntress.com/blog/kawalocker-ransomware-deployed
https://otx.alienvault.com/pulse/689ec5aedd7ae8f9c7f8c654
Tags
ransomware
encryption
rdp
psexec
kawa4096
2025-08-15
hrsword
kawalocker

Date

  • Created: Aug. 15, 2025, 5:29 a.m.
  • Published: Aug. 15, 2025, 5:29 a.m.
  • Modified: Aug. 15, 2025, 12:38 p.m.

Indicators

  • ecca86e9b79d5a391a433d8d782bf54ada5a9ee04038dbaf211e0f087b5dad52
  • e4fb852fed532802aa37988ef9425982d272bc5f8979c24b25b620846dac9a23
  • db8f4e007187795e60f22ee08f5916d97b03479ae70ad95ad227c57e20241e9d
  • 11b262c936ffa8eb83457efd3261578376d49d6e789c7c026f1fa0b91929e135
  • 01a3dabb4684908082cb2ac710d5d42afae2d30f282f023d54d7e945ad3272f5
Download all indicators here!

Attack Patterns

  • KaWaLocker
  • HRSword
  • KAWA4096
  • KawaLocker