Ransomware incidents in Japan during the first half of 2025
- In the first half of 2025, the number of ransomware attacks in Japan increased by approximately 1.4 times compared to the previous year.
- Ransomware attackers continue to primarily target small and medium-sized enterprises in Japan. The most affected industry remains manufacturing, unchanged from last year.
- The ransomware group causing the most damage in Japan is “Qilin.”
- In late June, a new ransomware group called “Kawa4096” emerged and might have attacked two Japanese companies.
Victimized companies
Figure 1 summarizes the ransomware incidents involving Japanese domestic companies, including overseas branches and subsidiaries, from January 1 to June 30, 2025. According to the Cisco Talos investigation, there were 68 ransomware cases affecting organizations in Japan during this period. Sources include Cisco telemetry, official statements from affected companies, news reports and data from ransomware leak sites. Compared to 48 cases during the same period last year, this represents an approximately 1.4-fold increase. The number of incidents per month ranged from a minimum of 4 to a maximum of 16, with an average of about 11 ransomware attacks per month.
The industries affected remain largely unchanged from the same period last year, with the manufacturing sector experiencing the highest number of incidents at 18.2%, followed by the automotive sector with 5 cases (5.7%), and trading companies, construction and transportation each reporting 4 cases (4.6%).
Regarding the size of the affected organizations, those with capital of less than 100 million yen (or ¥) accounted for the largest share at 38%, followed by those with capital from ¥100 million – 1 billion at 31%. In total, organizations with capital under ¥1 billion made up 69% of all cases, indicating that attackers continue to primarily target small and medium-sized enterprises (see Figure 3).
Types of ransomware most frequently involved in incidents
LockBit and 8base, which were among the most frequently observed ransomware groups in Japan during the first half of FY2024, ceased their activities following takedown operations by law enforcement in February 2024 and February 2025 respectively, as publicly announced in press releases. As a result, neither group has been observed in 2025.
RansomHub and Hunters International, which ranked among the top ransomware groups last year, are confirmed to still be active in Japan. Notably, the ransomware group Qilin, which had not been reported to have caused any damage in Japan in FY2024, emerged as the most active group in the first half of FY2025, with eight confirmed victim organizations in the country. Qilin has been active since October 2022 and is one of the ransomware groups exerting significant influence both domestically and internationally. The findings from this investigation further suggest that Qilin’s activity is intensifying, making it one of the most critical groups to watch.
Following Qilin, three groups — Lynx, Nightspire, and RansomHub — accounted for three incidents each. Regarding RansomHub, attacks targeting Japan were also confirmed around the same time in 2024. Groups such as Akira, Cicada3301, Gunra, Kawa4096 and Space Bears were each responsible for two incidents. In particular, Kawa4096, which began operations in late June 2025, has targeted Japan from the outset, warranting special attention.
Other groups with one confirmed incident each include Black Suit, CLOP, Devman, Fog and Play, among others.
Spotlight: Kawa4096 ransomware group
Trustwave published a useful analysis report on Kawa4096 in July 2025.
The ransomware group first posted about a victim organization on its leak site, shown in Figure 5, on June 19, 2025. Subsequently, it disclosed information believed to pertain to attacks on two Japanese companies on June 26 and June 28.
KaWaLocker ransomware deployed by Kawa4096
Config File
The ransomware used by this group, shown in Figure 6, utilizes the FindResourceW API to load a configuration file from the resource section, as illustrated in Figure 7. The configuration file defines items such as file extensions, directories and specific folders to exclude from encryption; processes and services to terminate; and commands to execute. In the example configuration file shown in the figure, the command to be executed via WMI is defined as <cmd_post value=”calc”>, which causes the calculator to launch. Since it only launches the calculator after encryption, it is likely being used to check whether the configuration has been correctly applied. Depending on the value set, arbitrary commands can be executed. In other configuration files, Talos has also confirmed cases where a forced reboot is triggered after encryption using the command shutdown /r /t 0.
Creating new file extensions and icons
The file extension added after encryption is also determined by a value loaded from the resource section, just like the configuration file. Specifically, the ransomware sets the extension using the data starting 8 bytes from the loaded value, and uses the following 9 bytes as the new extension.
Once the extension name for the encrypted files is determined, an icon file used after encryption is created at the following path using the CreateFileW API:
C:UsersPublicDocuments.C3680868C.ico
After that, a new key named “.C3680868C” is created under “HKEY_LOCAL_MACHINESoftwareClasses” in the registry, with a subkey DefaultIcon whose value is set to the path of the icon mentioned above.
Types of arguments
This ransomware checks for the presence of the “all” argument upon execution. (Figure 12)
Below is a summary of the three arguments:
- -all: Executes the ransomware’s processing using multithreading
- -d: Encrypts only the specified directory
- -dump: Uses the MiniDumpWriteDump API to create a .dmp file containing crash or runtime information in the execution folder
When the -all option is not specified, the ransomware re-executes itself as “%ws” -all using the CreateProcessW API. Additionally, only when -all is not specified, the ransomware creates a Mutex named “SAY_HI_2025” using the CreateMutexA API to check whether it is already running.
Ransom note
A ransom note named “!!Restore-My-file-Kavva.txt,” as shown in Figure 13, is created in C: and in each encrypted folder. The ransom note primarily states that the system has been encrypted and that important data has been stolen — characteristics typical of double-extortion ransomware. It warns that if communication is refused, the data will be published. It also specifies the types of data involved, such as employees’ personal information and customer information, making it clear that the attackers are urging the victim to initiate contact with them.
Data deletion
After file encryption, the following commands are executed to prevent recovery by deleting backup-related data and traces, such as event logs.
vssadmin.exe Delete Shadows /all /quiet vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete /nointeractive cmd.exe /c wevtutil cl security | wevtutil cl system | wevtutil cl application
Depending on the configuration settings, the program may also delete itself.
cmd.exe /C ping 127.0.0.1 -n 2 > nul && del /F
Encryption
Regarding the encryption method, the chunk size is determined based on the size of the target file, and the number of chunks is decided accordingly. For files smaller than or equal to 10MB, the data is not split for encryption. However, for files larger than 10MB, the file is divided based on varying chunk sizes according to file size, as shown in Figure 15. The base chunk size is defined by the value at offset (a1 + 488), which is set to 0x10000 (64KB). Figure 16 shows the chunk sizes corresponding to different file sizes. This implementation improves encryption performance by accelerating the processing of files.
Once the chunk count is determined, the target data is encrypted using the Salsa20 stream cipher.
KaWaLocker 2.0
We also observed KaWaLocker 2.0 in late July 2025. This indicates that the attackers may become even more active in deploying this malware in the future. One of the main changes is that the ransom note differs from the initial version of KaWaLocker. As shown in Figure 17, the ransom note for KaWaLocker 2.0 includes a newly added email contact.
Another change is that when examining the configuration of KaWaLocker 2.0, we found that a flag called “hide_name” had been added.
When this flag is enabled, the file name is changed and encrypted based on the absolute file path using a hash function.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
ClamAV detections are also available for this threat:
Indicators of compromise (IOCs)
The IOCs can also be found in our GitHub repository here.
Cisco Talos Blog – Read More
