Japan experienced a significant escalation in ransomware incidents during the first half of 2025, with Cisco Talos reporting 68 cases affecting domestic organizations compared to 48 during the same period in 2024, representing a troubling 1.4-fold increase.
This surge underscores the persistent and growing threat posed by cybercriminals targeting Japanese businesses, tiny and medium-sized enterprises.
SMEs Remain Prime Targets as Manufacturing Leads Victim Count
The attack patterns reveal a continued focus on vulnerable smaller organizations, with companies having capital under ¥1 billion accounting for 69% of all incidents.
Organizations with less than ¥100 million capital represented the largest victim group at 38%, followed by those with ¥100 million to ¥1 billion at 31%.
The manufacturing sector bore the heaviest impact, experiencing 18.2% of all attacks, while the automotive industry followed with 5.7% of incidents.
Ransomware groups averaged approximately 11 attacks per month, with monthly incidents ranging from 4 to 16 cases. This consistency suggests sustained, systematic targeting rather than opportunistic strikes.
Qilin Emerges as Japan’s Most Active Threat Actor
The ransomware landscape has shifted dramatically following law enforcement takedowns of previously dominant groups LockBit and 8base in February 2024 and February 2025, respectively.
Qilin, which caused no reported damage in Japan during fiscal year 2024, suddenly emerged as the most active group with eight confirmed victim organizations in the first half of 2025.
Active since October 2022, Qilin has established itself as a significant international threat actor. Following Qilin’s dominance, three groups, Lynx, Nightspire, and RansomHub, each accounted for three incidents, while newer entrants like Akira, Cicada3301, and the emerging Kawa4096 group claimed two victims each.
New Kawa4096 Group Demonstrates Sophisticated Technical Capabilities
Of particular concern is Kawa4096, which began operations in late June 2025 and immediately targeted Japanese companies.
The group’s KaWaLocker ransomware demonstrates advanced technical sophistication, employing Salsa20 stream cipher encryption with dynamic chunk sizing based on file size using 64KB chunks for optimal performance on files larger than 10MB.
The malware creates custom file extensions and icons, executes data deletion commands to prevent recovery, and includes a “hide_name” feature in version 2.0 that encrypts filenames using hash functions.
KaWaLocker also implements multi-threading capabilities and creates mutex values to prevent duplicate executions.
The group’s rapid emergence and immediate focus on Japanese targets, combined with the technical advancement demonstrated in KaWaLocker 2.0, suggest that Kawa4096 represents a significant emerging threat requiring close monitoring by cybersecurity professionals and organizations across Japan.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
