KAWA4096 Ransomware Employs WMI Techniques to Delete Backup Snapshots

Trustwave SpiderLabs has played a crucial role in monitoring new ransomware variants in the incredibly unstable ransomware threat landscape of 2025, where dozens of new groups have emerged and caused extensive disruptions across multiple sectors.

Among these, the KAWA4096 ransomware has been identified as a notable newcomer, first detected in June 2025.

This strain has already claimed at least 11 victims, predominantly targeting entities in the United States and Japan, with five incidents remaining undisclosed on the group’s data leak site.

SpiderLabs’ global ransomware attack heat maps highlight KAWA4096’s focus on these regions, underscoring its rapid operational ramp-up.

Emergence of a New Ransomware Threat in 2025

The ransomware’s capabilities emphasize multithreaded encryption and network share targeting, designed to amplify disruption while incorporating evasion tactics to bypass detection mechanisms.

Technical analysis reveals that KAWA4096 embeds its configuration directly within the binary, loaded via the LoadResource API, detailing behavioral parameters such as file extensions, directories, and processes to skip or terminate.

It supports command-line arguments like “-d=” for targeted encryption, “-all” for comprehensive file processing, and “-dump” for crash logging.

When executed without parameters, it respawns itself with the “-all” flag to ensure full activation.

A mutex named “SAY_HI_2025” prevents concurrent instances, while the malware systematically terminates services and processes associated with antivirus tools, SQL databases, backup systems, and SAP environments using Windows Service Control Manager APIs and TerminateProcess calls.

Notably, KAWA4096 leverages Windows Management Instrumentation (WMI) through Win32_Process::Create to execute commands like “vssadmin.exe Delete Shadows /all /quiet” and “wmic shadowcopy delete /nointeractive,” effectively erasing Volume Shadow Copies to hinder data recovery efforts.

This defense evasion technique aligns with MITRE ATT&CK frameworks, complicating forensic responses.

In-Depth Encryption Mechanics

KAWA4096’s encryption routine employs semaphores for multithreaded synchronization, spawning configurable threads typically 10 in analyzed samples to scan and process files recursively.

It skips specific extensions (e.g., .exe, .dll, .sys), directories (e.g., Windows, Program Files), and filenames (e.g., boot.ini, desktop.ini) to avoid system instability, focusing instead on local drives and shared network resources if enabled in the configuration.

Files are queued for worker threads, which apply encryption while altering icons to resemble SQL Monitor visuals and optionally setting a black wallpaper.

Post-encryption, self-deletion occurs via a delayed command like “cmd.exe /C ping 127.0.0.1 -n 2 > nul && del /F ,” further evading persistence detection.

The ransom note closely mirrors that of the Qilin ransomware, with subtle formatting tweaks, while the data leak site emulates Akira’s green-on-black terminal aesthetic, likely to enhance perceived legitimacy.

Although tactical, technical, and procedural (TTP) links to established groups remain unclear, KAWA4096’s adoption of these elements suggests an intent to leverage reputational borrowing for operational success.

Trustwave’s detection capabilities, including ISA and SpiderLabs rules, capture these behaviors such as shadow copy deletions and event log clearing via wevtutil alongside Advanced Continual Threat Hunt (ACTH) methodologies for proactive malware identification.

Organizations are advised to bolster defenses against these techniques, including multi-factor authentication, regular backups, and endpoint monitoring, to mitigate risks from this evolving threat.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now