Japan saw a significant increase in ransomware attacks in the first half of 2025, with incidences increasing by about 1.4 times over the same period the year before.
According to a detailed investigation by Cisco Talos, 68 ransomware cases targeted Japanese organizations, including domestic firms and their overseas branches, from January to June 2025.
This surge, drawn from sources such as Cisco telemetry, official company statements, news reports, and ransomware leak sites, contrasts sharply with the 48 incidents recorded in the prior year.
Ransomware Landscape in Japan
Monthly attack volumes fluctuated between 4 and 16, averaging around 11 per month, underscoring a persistent and intensifying threat vector.
The manufacturing sector bore the brunt of these assaults, accounting for 18.2% of cases, followed by automotive (5.7%), trading companies, construction, and transportation sectors each at 4.6 Unchanged from last year.
The pattern highlights attackers’ continued focus on small and medium-sized enterprises (SMEs), which comprised 69% of victims specifically, 38% with capital under ¥100 million and 31% between ¥100 million and ¥1 billion.
This targeting strategy exploits vulnerabilities in less-resourced entities, where robust cybersecurity measures may lag behind larger corporations.
The absence of previously dominant groups like LockBit and 8Base, dismantled by international law enforcement in 2024 and 2025 respectively, has paved the way for emerging threats.
Notably, Qilin has ascended as the most prolific actor, claiming eight Japanese victims in this period, a stark rise from zero incidents in fiscal year 2024.
Active since October 2022, Qilin’s operations exemplify the global ransomware-as-a-service (RaaS) model, amplifying its reach and impact.
Other active groups include RansomHub and Hunters International from prior rankings, alongside Lynx, Nightspire, and RansomHub each with three incidents, and Akira, Cicada3301, Gunra, Kawa4096, and Space Bears with two apiece.
Single-incident actors such as Black Suit, CLOP, Devman, Fog, and Play further diversify the threat landscape.
Spotlight on Emerging Threat
A new entrant, Kawa4096, emerged in late June 2025, swiftly targeting Japanese entities with two confirmed attacks by month’s end.
This group’s KaWaLocker ransomware employs sophisticated techniques, loading configurations from resource sections via FindResourceW API calls.
These configs dictate exclusions for encryption (e.g., file extensions, directories), process terminations, and post-encryption commands, such as WMI-executed actions like calculator launches for testing or forced reboots via “shutdown /r /t 0”.
Encrypted files receive custom extensions derived from resource data, with associated icons registered in the Windows registry under HKEY_LOCAL_MACHINESoftwareClasses.
Argument handling supports multithreading with “-all” for comprehensive encryption, “-d” for directory-specific targeting, and “-dump” for MiniDumpWriteDump API-based memory dumps.
Mutex creation (“SAY_HI_2025”) prevents concurrent executions, while double-extortion tactics are evident in ransom notes like “!!Restore-My-file-Kavva.txt”, threatening data leaks of sensitive information such as employee and customer records.
Post-encryption, the malware executes commands to erase shadows (vssadmin.exe, wmic), clear event logs (wevtutil), and self-delete via delayed commands.
Encryption leverages Salsa20 stream cipher with adaptive chunking: files ≤10MB encrypt wholly, while larger ones divide into 64KB-based chunks scaled by size (e.g., 1 chunk for 10-100MB, up to 100 for >1GB), optimizing performance.
By late July 2025, KaWaLocker 2.0 introduced enhancements, including an updated ransom note with email contacts and a “hide_name” flag for hashing and obfuscating filenames, further complicating forensics.
These developments signal Kawa4096’s rapid evolution, urging heightened vigilance in vulnerability management and threat intelligence sharing among Japanese SMEs to mitigate this burgeoning cyber risk.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
