Huntress analysts have tracked a fresh ransomware incident involving KawaLocker, also known as KAWA4096. The variant is new, but the method is familiar. Attackers gained access, disabled defenses, and moved to encrypt files.
Ransomware families surface often. A year ago, Huntress reported on ReadText34. Just last month, a never-before-seen strain called Crux appeared. KawaLocker joins the list.
According to Trustwave SpiderLabs, KawaLocker first appeared in June 2025. Its ransom note echoes Qilin. Its leak site resembles Akira. Analysts believe the similarities are meant to draw attention, not signal collaboration.
The attack began on 8 August. Threat actors entered a victim’s system through Remote Desktop Protocol, using stolen credentials.
Once inside, Huntress researchers said they set about removing the tools that might stop them. They launched HRSword, a utility with links to China-based Huorong Network Technology. HRSword, together with other components, gave the attackers visibility and control across the system.
Kill.exe was used. Tasklist.exe followed. Security tools were identified and then disabled one by one. Services crashed. Kernel drivers were loaded and then removed. Commands issued through the Service Control Manager left a trail in the logs.
The attackers scanned the network with advanced_port_scanner.exe and saved the results to a text file.
They then pushed commands to enable RDP on additional machines, opening doors across the environment. The plan was simple: spread further, return later if needed, and deploy the ransomware by hand.
Deployment came next. On the victim’s E:\ volume, the attackers launched the encryptor. Huntress decoy files on the C:\ drive were untouched, but audit logs recorded what happened. File access attempts revealed the scope of encryption.
A ransom note was left behind, directing victims to contact kawa4096@onionmail[.]org. The name KAWA4096 likely comes from that address.
After encryption, the malefactors cleaned up. Shadow Copies were erased. Windows event logs cleared. The ransomware deleted itself, leaving only damaged files and a note demanding payment.
Huntress investigators moved quickly. They contained the incident before the attackers could pivot to other endpoints. Attempts to expand through RDP failed. The damage, though serious, was limited.
Detection is built from detail. Analysts point to the use of HRSword, the deletion of Shadow Copies, and specific command-line activity as signals of KawaLocker activity. Each clue strengthens defenses against the next intrusion.
The lesson is familiar. Adversaries adapt. They build on known methods, reuse designs, borrow the look and feel of other groups. The result is not novelty, but persistence. KawaLocker is one more proof.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
