New Kawa4096 Ransomware Deploys Rapid, Multi-pronged Attacks

A new ransomware group, dubbed Kawa4096, has emerged, targeting multinational organizations across various sectors in multiple countries. The group employs a double extortion strategy, exfiltrating sensitive data before encrypting files and threatening public leaks on its Tor-based portal. Technical analysis reveals sophisticated features, including partial encryption for speed, termination of key processes, and the deletion of volume shadow copies to prevent recovery. The ransomware uses the Salsa20 cipher and leaves a ransom note with similarities to other established threat groups. This highly organized operation suggests a significant new threat capable of widespread disruption.