Executive Summary

In the first half of 2025, Japanese organizations experienced a significant escalation in ransomware attacks, with confirmed incidents rising by approximately 1.4 times compared to the previous year. Sixty-eight cases were reported between January and June 2025, averaging 11 incidents per month. The manufacturing sector was the most affected, accounting for 18.2% of incidents, followed by automotive, trading, construction, and transportation industries. Small and medium-sized enterprises (SMEs) were disproportionately targeted, representing 69% of all cases. The most damaging ransomware group was Qilin, with other active groups including Lynx, Nightspire, RansomHub, Akira, Cicada3301, Gunra, Kawa4096, and Space Bears. Notably, the emergence of the Kawa4096 group in June 2025 introduced advanced double-extortion tactics, with explicit threats to publish stolen employee and customer data. Law enforcement actions led to the cessation of LockBit and 8base operations, but new groups rapidly filled the void. The attacks have caused significant operational disruptions, particularly in manufacturing, due to the paralysis of both operational technology (OT) and information technology (IT) systems. Japanese authorities and security vendors have issued sector-specific advisories, emphasizing the need for enhanced endpoint protection, email security, regular backups, and continuous monitoring for indicators of compromise. All information in this summary is based on verified incident data and public advisories as of August 2025 (Cisco Talos, AhnLab ASEC).

Technical Information

Ransomware attacks in Japan during 2025 have demonstrated increasing technical sophistication, with threat actors employing a combination of established and novel tactics, techniques, and procedures (TTPs). The most prominent ransomware family in recent incidents is Kawa4096 (also known as KaWaLocker), which emerged in June 2025 and has since targeted at least 11 organizations, primarily in Japan and the United States (Trustwave SpiderLabs).

Initial Access vectors are consistent with global ransomware trends, including phishing emails, exploitation of public-facing applications, and abuse of remote services such as exposed Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) endpoints. While specific technical artifacts for initial access in Japanese incidents are not publicly available, sector advisories and incident patterns support these as the most likely entry points. The confidence level for this assessment is medium, as it is based on pattern analysis rather than direct forensic evidence (Cisco Talos, AhnLab ASEC).

Lateral Movement and Privilege Escalation are achieved through the use of configuration files that specify target directories, processes, and services. Kawa4096 employs multi-threading to rapidly encrypt files across both local and network drives. The ransomware terminates security, backup, and database services to maximize impact and evade detection. Mutex creation (e.g., SAY_HI_2025) ensures only a single instance of the malware runs on a system.

Persistence and Defense Evasion techniques include the deletion of shadow copies and event logs, which prevents recovery and hinders forensic analysis. The ransomware can self-delete after execution if configured, further complicating incident response efforts.

Encryption and Impact: Kawa4096 uses the Salsa20 stream cipher for file encryption. The malware’s configuration, embedded within the binary, defines skip lists, target directories, services and processes to terminate, and post-encryption actions. It executes commands such as vssadmin.exe Delete Shadows /all /quiet and wmic shadowcopy delete /nointeractive to remove backups, and uses wevtutil to clear event logs. The ransom note, named !!Restore-My-file-Kavva.txt, is nearly identical to those used by the Qilin ransomware group, indicating TTP borrowing. The malware encrypts both local and network shares and can self-delete using a command such as cmd.exe /C ping 127.0.0.1 -n 2 > nul && del /F <ransom filepath>.

Indicators of Compromise (IOCs) for Kawa4096 include file hashes such as f3a6d4ccdd0f663269c3909e74d6847608b8632fb2814b0436a4532b8281e617 and fadfef5caf6aede2a3a02a856b965ed40ee189612fa6fde81a30d5ed5ee6ae7d, a TOR site at hxxp://kawasa2qo7345dt7ogxmx7qmn6z2hnwaoi3h5aeosupozkddqwp6lqqd[.]onion/, and the email address kawa4096@onionmail.org (Trustwave SpiderLabs).

Historical Context: From 2017 to 2025, the most active ransomware groups targeting Japanese organizations have been LockBit (29 cases), Alphv/BlackCat (12), RansomHub (10), Clop (7), and 8Base (7). Law enforcement takedowns in February 2024 and February 2025 led to the cessation of LockBit and 8base operations, but groups such as RansomHub and Kawa4096 have rapidly expanded their activities in the resulting power vacuum (Cisco Talos, AhnLab ASEC).

Sector-Specific Targeting: The manufacturing sector remains the most targeted, with 18.2% of incidents in the first half of 2025 and 69 cases from 2017 to 2025. Other affected sectors include information and communication, wholesale and retail, construction, and professional/technical services. SMEs, defined as organizations with capital under ¥1 billion, account for 69% of all cases. Attack campaigns often spike during fiscal year-end and holiday periods, exploiting reduced staffing and monitoring.

Attack Methods Mapped to MITRE ATT&CK: Initial access techniques include [T1190] Exploit Public-Facing Application and [T1133] External Remote Services. Execution is achieved via [T1059] Command and Scripting Interpreter and [T1204] User Execution. Persistence may involve [T1547] Boot or Logon Autostart Execution. Privilege escalation can occur through [T1055] Process Injection. Defense evasion includes [T1070.004] File Deletion, [T1070.001] Clear Windows Event Logs, [T1489] Service Stop, and [T1562.001] Disable or Modify Tools. Impact is delivered through [T1486] Data Encrypted for Impact, [T1490] Inhibit System Recovery, [T1491.001] Defacement: Internal Defacement, and [T1491.002] Defacement: External Defacement. Discovery, collection, exfiltration, and command and control techniques are also present, as detailed in the MITRE ATT&CK framework (MITRE ATT&CK).

Attribution and Confidence Levels: Attribution to Kawa4096 is supported by technical artifacts such as malware samples, ransom notes, and configuration files, with a high confidence level. Attribution to other groups such as Qilin and RansomHub is based on victim reporting and leak site data, with medium confidence due to the lack of public technical artifacts for all incidents. Sector targeting and timing are supported by incident statistics and advisories, with high confidence.

Affected Versions & Timeline

The ransomware campaigns in Japan have shown a continuous upward trend from 2017 through 2025, with a marked surge since 2023. In 2024, attacks were concentrated in the fourth quarter, and the first quarter of 2025 saw a relatively high number of incidents, indicating ongoing and persistent campaigns. From January 1 to June 30, 2025, there were 68 confirmed ransomware cases affecting Japanese organizations, with monthly incidents ranging from 4 to 16. The most affected sector was manufacturing, followed by automotive, trading, construction, and transportation. SMEs with capital under ¥1 billion were the primary targets, accounting for 69% of all cases (Cisco Talos, AhnLab ASEC).

The Kawa4096 ransomware group became active in June 2025, with at least 11 confirmed victims by August 2025. Law enforcement actions in February 2024 and February 2025 led to the cessation of LockBit and 8base operations, but new groups such as RansomHub and Kawa4096 quickly filled the void.

Threat Activity

The threat landscape in Japan during 2025 has been dominated by ransomware groups employing double-extortion tactics, where both data encryption and data theft are used to pressure victims into paying ransoms. The Kawa4096 group, in particular, has issued ransom notes explicitly stating that both employee and customer information have been stolen, with threats to publish the data if communication is refused. This approach is characteristic of double-extortion ransomware and increases the potential impact on victim organizations.

The manufacturing sector is especially vulnerable due to its reliance on large-scale production systems and global supply chains. Ransomware attacks in this sector can lead to significant operational disruptions, including the paralysis of both OT and IT systems, resulting in substantial financial losses from production downtime.

Other active ransomware groups in Japan during 2025 include Qilin, Lynx, Nightspire, RansomHub, Akira, Cicada3301, Gunra, and Space Bears. The cessation of LockBit and 8base operations following law enforcement takedowns has not reduced the overall threat level, as new groups have rapidly emerged to continue targeting Japanese organizations.

Attack campaigns often coincide with periods of reduced staffing and monitoring, such as fiscal year-end and holidays, increasing the likelihood of successful intrusions. SMEs are particularly at risk due to limited security resources and less mature incident response capabilities.

Mitigation & Workarounds

Critical recommendations for Japanese organizations, especially those in manufacturing and supply chain sectors, include strengthening endpoint protection, implementing robust email security measures, maintaining regular and tested backups, and ensuring continuous monitoring for indicators of compromise. Organizations should prioritize network segmentation between OT and IT environments to limit the spread of ransomware and develop comprehensive incident response plans tailored to their specific operational contexts.

High-priority actions include patching public-facing applications and remote access services, restricting RDP and VPN access to only necessary users, and enforcing multi-factor authentication. Regular security awareness training for employees can reduce the risk of phishing-based initial access. Organizations should also monitor for known IOCs associated with Kawa4096 and other active ransomware groups, and ensure that backup systems are isolated from production networks to prevent ransomware from encrypting backup data.

Medium-priority actions involve reviewing and updating business continuity plans, conducting tabletop exercises to test incident response readiness, and engaging with sector-specific information sharing and analysis centers (ISACs) for timely threat intelligence.

Low-priority actions include participating in industry forums and staying informed about evolving ransomware tactics and techniques.

These recommendations are based on advisories from Cisco and AhnLab, as well as guidance from Japanese law enforcement and sector regulators (Cisco Talos, AhnLab ASEC).

References

Cisco Talos Intelligence, "Ransomware incidents in Japan during the first half of 2025," August 19, 2025 https://blog.talosintelligence.com/ransomware_incidents_in_japan_during_the_first_half_of_2025/

AhnLab ASEC, "Damage Case Report on Japanese Companies Afflicted with Ransomware (2017 – 2025)," March 17, 2025 https://asec.ahnlab.com/en/87742/

Trustwave SpiderLabs, "KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles," July 16, 2025 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-ransomware-tide-rising-threat-with-borrowed-styles/

MITRE ATT&CK Enterprise Techniques https://attack.mitre.org/techniques/enterprise/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chain and vendor ecosystem. Our platform enables continuous risk assessment, supports incident response planning, and facilitates compliance with sector-specific security requirements. For questions or further information, please contact us at ops@rescana.com.