Ransomware incidents Targeting Japan Increased by Approximately 1.4 Times

Japan experienced a significant surge in ransomware attacks during the first half of 2025, with incidents increasing by approximately 1.4 times compared to the same period in 2024.

According to comprehensive research conducted by cybersecurity analysts, 68 ransomware cases affected Japanese organizations between January and June 2025, representing a substantial rise from the 48 cases recorded during the corresponding period last year.

This escalation demonstrates the persistent and evolving threat landscape facing Japanese enterprises across multiple sectors.

The attackers continue to demonstrate a clear preference for targeting small and medium-sized enterprises, with organizations having capital under 1 billion yen comprising 69% of all victims.

Manufacturing remains the most severely impacted sector, accounting for 18.2% of all incidents, followed by automotive companies at 5.7%.

The monthly incident rate averaged approximately 11 attacks, with fluctuations ranging from a minimum of 4 to a maximum of 16 cases per month, indicating consistent threat actor activity throughout the observation period.

Cisco Talos analysts identified a notable shift in the ransomware threat landscape, with the Qilin group emerging as the most active operator targeting Japanese organizations.

Despite having no reported activity in Japan during fiscal year 2024, Qilin orchestrated eight confirmed attacks during the first half of 2025, establishing itself as the primary concern for Japanese cybersecurity professionals.

This dramatic increase in Qilin’s operations coincided with the cessation of activities by previously dominant groups LockBit and 8base, which were disrupted by law enforcement takedown operations in February 2024 and February 2025, respectively.

The research also unveiled the emergence of a new ransomware group called Kawa4096, which began operations in late June 2025 and immediately targeted Japanese companies.

Within its first week of activity, this group successfully compromised two Japanese organizations, demonstrating an alarming focus on the Japanese market from its inception.

The rapid targeting of Japanese entities by this new group suggests sophisticated threat intelligence and operational capabilities.

KaWaLocker Technical Analysis: Advanced Encryption and Evasion Mechanisms

The KaWaLocker ransomware deployed by Kawa4096 exhibits sophisticated technical characteristics that distinguish it from conventional ransomware families.

The malware utilizes a resource-based configuration system, loading critical operational parameters through the FindResourceW API from embedded RCDATA sections.

This approach allows attackers to customize encryption behavior, file exclusions, and post-infection commands without modifying the core executable.

The ransomware implements an intelligent chunk-based encryption strategy using the Salsa20 stream cipher, optimizing performance based on file sizes.

For files smaller than 10MB, complete encryption occurs, while larger files undergo selective encryption with varying chunk sizes.

Files between 32MB and 64MB receive 32MB chunks, while files exceeding 2GB are processed using 128MB segments.

This selective approach significantly reduces encryption time while maintaining data inaccessibility.

KaWaLocker incorporates multiple evasion techniques, including mutex creation using “SAY_HI_2025” to prevent duplicate executions and registry manipulation to establish custom file associations.

The malware systematically terminates database and backup services before encryption, then executes shadow copy deletion commands to prevent recovery attempts, demonstrating a comprehensive understanding of enterprise backup infrastructures.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.