Full Report
Ransomware attackers continue to primarily target small and medium-sized manufacturing businesses in Japan.
Analysis Summary
# Incident Report: H1 2025 Japan Ransomware Surge Led by Qilin Group
## Executive Summary
During the first half of 2025, ransomware attacks targeting Japanese organizations increased by approximately 1.4 times compared to the same period last year, totaling 68 confirmed incidents. Attackers continued to focus heavily on Small and Medium-sized Enterprises (SMEs). The Qilin ransomware group emerged as the most active threat actor in Japan, while a new group, Kawa4096, also surfaced late in the reporting period. The primary affected sector was manufacturing.
## Incident Details
- **Discovery Date:** Occurrences detected throughout H1 2025 (January 1 to June 30, 2025).
- **Incident Date:** January 1, 2025 – June 30, 2025.
- **Affected Organization:** 68 confirmed cases involving Japanese domestic companies, including overseas branches and subsidiaries.
- **Sector:** Manufacturing (18.2%), Automotive (5.7%), Trading, Construction, Transportation.
- **Geography:** Japan.
## Timeline of Events
### Initial Access
- **Date/Time:** Varies throughout H1 2025. For the Kawa4096 group, activity began surfacing in late June 2025 (Leak site post on June 19, 2025).
- **Vector:** Not explicitly detailed for all incidents, but analysis points to generally known ransomware vectors impacting SMEs. Kawa4096 operates via associated ransomware (KaWaLocker).
- **Details:** Attacks were highly focused on organizations with capital under ¥1 billion (69% of victims).
### Lateral Movement
- Kawa4096 utilized WMI commands defined in configuration files, which could execute arbitrary commands, potentially including those for lateral movement or system disruption (e.g., forced reboots via `shutdown /r /t`).
### Data Exfiltration/Impact
- **Impact:** Ransomware encryption resulting in operational downtime, demonstrated by the placement of ransom notes. Kawa4096's encryption process sometimes included attempting to terminate specific processes/services beforehand.
### Detection & Response
- **Detection:** Incidents were tracked via Cisco telemetry, company statements, news reports, and data from ransomware leak sites.
- **Response actions taken:** Law enforcement actions notably disrupted LockBit (Feb 2024) and 8base (Feb 2025) activities in Japan prior to this period, shifting the threat landscape. Specific response actions for H1 2025 victims are not detailed, but Cisco recommended defense mechanisms.
## Attack Methodology
- **Initial Access:** Not specified, likely standard phishing or exploitation vectors common against SMEs.
- **Persistence:** Not explicitly detailed in the summary.
- **Privilege Escalation:** Not explicitly detailed in the summary.
- **Defense Evasion:** Kawa4096 employed a specific technique in its KaWaLocker 2.0 variant: enabling the `hide_name` flag to change and encrypt file names based on an absolute file path hash, obscuring identification.
- **Credential Access:** Not specified.
- **Discovery:** Kawa4096 configuration files defined specific directories and file extensions to exclude from encryption, suggesting local enumeration and targeting requirements.
- **Lateral Movement:** Potential use of WMI commands for remote execution or disruption.
- **Collection:** Not specified.
- **Exfiltration:** Not specified (standard ransomware TTPs often involve double extortion).
- **Impact:** Deployment of ransomware (Qilin, Kawa4096, etc.) leading to file encryption and potential system shutdown.
## Impact Assessment
- **Financial:** Not quantified, but implied significant costs due to 68 confirmed ransomware incidents impacting revenue and recovery efforts.
- **Data Breach:** Ransomware events imply data compromise, though specific data types/volume are not listed.
- **Operational:** High operational disruption, particularly in the manufacturing sector.
- **Reputational:** Public disclosure through leak sites and media reports likely caused reputational damage to victims.
## Indicators of Compromise
(IOCs are provided in the source article's linked GitHub repository but are omitted here as per instructions to defang/omit unless explicitly listed.)
- **Network indicators:** *Omitted/Defanged.*
- **File indicators:** Ransomware payloads associated with Qilin, Lynx, Nightspire, RansomHub, and Kawa4096. Kawa4096 utilizes configuration files loaded via `FindResourceW` API.
- **Behavioral indicators:** Encryption using KaWaLocker, potentially altering file names via hashing when the `hide_name` flag is active. Execution of WMI commands post-encryption (e.g., launching calculator or triggering reboot).
## Response Actions
- **Containment:** Not detailed for specific H1 2025 incidents.
- **Eradication:** Not detailed for specific H1 2025 incidents.
- **Recovery:** Not detailed for specific H1 2025 incidents.
## Lessons Learned
- **Key takeaways:** Ransomware targeting in Japan became more active (+1.4x increase), shifting focus to SMEs (69% under ¥1B capital). Qilin became the leading threat actor. New, rapidly active groups like Kawa4096 (emerging late June) pose immediate risks.
- **What could have been done better:** Improved defenses against ransomware groups that have recently gained prominence (like Qilin) and vigilance against emerging actors such as Kawa4096, whose configuration demonstrated advanced evasion techniques (file name obfuscation).
## Recommendations
- **Prevention measures for similar incidents:** Implement robust endpoint detection and response solutions capable of preventing malware execution (e.g., Cisco Secure Endpoint). Enhance email security to block malicious campaign emails. Ensure regular patching and segmentation, specifically targeting the manufacturing sector and SME compliance levels. Monitor for new ransomware signatures, such as those utilizing configuration file loading via specific APIs or employing file name obfuscation techniques.