Ddos 
KAWA4096 (left) vs AKIRA (right) data leak site | Image: Trustwave
A new ransomware family known as KAWA4096 has surfaced, blending tactics from notorious groups like Qilin and Akira to carve out its own identity. Discovered in June 2025, this ransomware has already claimed at least 11 victims, primarily targeting organizations in the United States and Japan.
“KAWA4096, a ransomware whose name includes ‘Kawa’, the Japanese word for ‘river’, first emerged in June 2025,” Trustwave reports. “This new threat features a leak site that follows the style of the Akira ransomware group, and a ransom note format similar to Qilin’s.”
KAWA4096’s operation combines custom configuration loading, service termination, multithreaded encryption, and a dark web leak site modeled after Akira’s aesthetic—all aimed at inflicting maximum damage and psychological pressure.
The ransomware is loaded with features:
- File skipping logic for essential system files and directories
- Threaded encryption using semaphores to speed up system-wide data locking
- Self-deletion upon completion
- Wallpaper changes to indicate infection (in this sample, a solid black screen)
- Anti-recovery measures, including shadow copy deletion using:
“The ransomware utilizes semaphores and multi-threading to maximize its encryption efficiency across the infected system,” the report explains.
Once active, KAWA4096 scans the infected machine and terminates a long list of antivirus agents, backup services, and database-related applications using Windows APIs like ControlService and TerminateProcess.
Among the targeted services and processes:
- Veeam, Acronis, and SQL Server
- SAPHostExec, QuickBooks, and Sophos
- Common productivity tools like Outlook, PowerPoint, Excel, and even TeamViewer
“The ransomware also creates a dedicated thread that continuously monitors and terminates specific processes based on its configuration,” the report reveals.
KAWA4096’s configuration is embedded directly in the binary using the LoadResource API. It includes parameters like:
- skip_exts (e.g., .exe, .dll, .sys)
- kill_service and kill_process
- thread_num (controls concurrent encryption threads)
- self_delete (to wipe traces after encryption)
If launched without parameters, it respawns itself with -all to ensure complete activation.
“It then creates a mutex named SAY_HI_2025 to ensure that only a single instance of the ransomware is running.”
Encrypted files are marked with a custom icon resembling “SQL Monitor,” and although the ransomware can display a ransom wallpaper, the observed sample only changes the background to black.
The ransom note KAWA4096 drops is nearly identical to that of Qilin ransomware, with only slight changes in wording and formatting. The data leak site mimics Akira’s terminal-style interface, with green-on-black color schemes and duplicated introductory language. Such mimicry is likely meant to signal legitimacy in the underground and to intimidate victims into complying with ransom demands.
At present, there is no direct attribution or clear link between KAWA4096 and other ransomware groups. However, its blend of recycled tools and visual branding suggests a low-to-mid sophistication actor trying to leverage reputation laundering from more advanced operations.
Related Posts:
- Qilin Ransomware: Beyond Encryption, a New Threat of Credential Theft
- Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
- Akira Ransomware Adapts to Target Linux and VMware ESXi Servers
- Akira Ransomware: The New Threat Targeting Windows & Linux
- Akira Ransomware Now Uses APT-Style Tactics to Breach Corporate Networks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
