Kawa4096 / Kawalocker
Kawa4096 is a ransomware group that emerged in June 2025, targeting multinational corporations across finance, education, and services sectors primarily in the US and Japan, using partial-encryption (25% of each file chunk) with Salsa20 and a leak site styled after Akira's retro terminal aesthetic, claiming at least 11 victims.
Victims
17
First Discovered
2025-06-27
victim
Last Discovered
2025-07-29
victim
Inactive Since
289
days
Avg Delay
8.3
days
Infostealer
11.1%
victims with domain
Countries
3
hit
Attack Velocity — Last 12 months
Known Locations (1)
| Favicon | Title | Type | Available | Last Visit | Server Info | FQDN | |
|---|---|---|---|---|---|---|---|
|
Kawa4096 | No | 2026-04-28T07:24:20 |
kawasa2qo7345dt7ogxmx7qmn6z2hnwaoi3h5aeosupozkddqwp6lqqd.onion
|
Target
Top 5 Activity Sectors
- Healthcare 2
- Financial Services 2
- Public Sector 1
Top 5 Countries
-
United States
11
-
Japan
3
-
Germany
2
Heatmap
YARA Rules (1)
Indicators of Compromise (IoCs) (3)
Email
1
Hash SHA256
1
tox
1
Victims (17)
