Ransomware incidents in Japan during the first half of 2025

SUMMARY :

The first half of 2025 saw a 1.4-fold increase in ransomware attacks in Japan compared to the previous year, with 68 confirmed cases. Small and medium-sized enterprises remained the primary targets, with manufacturing being the most affected industry. The ransomware group Qilin emerged as the most active threat, responsible for eight incidents. A new group, Kawa4096, appeared in late June, targeting Japanese companies. The analysis also details the KaWaLocker ransomware, including its configuration, encryption methods, and the emergence of KaWaLocker 2.0 with enhanced features. The continued evolution and intensification of ransomware activities in Japan highlight the need for increased cybersecurity measures across various industries.

OPENCTI LABELS :

ransomware,encryption,japan,double-extortion,manufacturing,kawa4096,kawalocker,kawalocker 2.0,salsa20,small-medium-enterprises


AI COMMENTARY :

1. The report titled Ransomware incidents in Japan during the first half of 2025 outlines a sharp rise in malicious activity targeting small-medium-enterprises across multiple sectors in Japan. The first half of the year witnessed a 1.4-fold increase in ransomware incidents compared to the same period in 2024. With 68 confirmed cases, businesses from coast to coast were forced to confront the rapidly evolving threat landscape. The surge underscores the growing relevance of ransomware threat intel for organizations striving to bolster their defenses in an era of digital transformation.

2. Detailed analysis reveals that small and medium-sized enterprises bore the brunt of these attacks, with the manufacturing industry emerging as the most affected sector. Japan’s manufacturing firms, already navigating supply chain pressures and global competition, were unprepared for the disruptive power of double-extortion tactics. Attackers not only encrypted critical data but also threatened to leak proprietary designs unless hefty ransoms were paid. The prevalence of such tactics illustrates how cybercriminals are adapting proven playbooks to exploit vulnerabilities in smaller organizations with limited cybersecurity budgets.

3. Among the threat actors identified, the ransomware group Qilin was the most prolific, claiming responsibility for eight distinct incidents. Qilin’s campaigns often leveraged custom payloads designed to evade traditional antivirus and endpoint detection tools. In late June, a previously unseen actor, Kawa4096, made its first appearance on the threat intel radar. Targeting Japanese companies exclusively, Kawa4096 demonstrated an unusually surgical approach by infiltrating networks via spear-phishing emails crafted in native Japanese. This newcomer’s emergence signals a further diversification of threat groups operating within Japan’s borders.

4. The technical deep dive into KaWaLocker ransomware sheds light on its sophisticated encryption methods. KaWaLocker employs Salsa20 for rapid data encryption and integrates a robust configuration framework that allows threat actors to tailor each deployment to specific environments. The discovery of KaWaLocker 2.0 points to an accelerated development cycle, introducing features such as multi-threaded encryption, enhanced file system traversal, and improved evasion of sandbox analysis. The double-extortion model remains central to its strategy, with attackers exfiltrating sensitive data before encryption to maximize leverage during ransom negotiations.

5. The intensification of ransomware activity in Japan highlights the urgent need for enhanced cybersecurity measures across industries. Organizations must prioritize continuous monitoring, regular patch management, and comprehensive backup solutions to withstand encryption assaults. Sharing threat intel on emerging groups like Kawa4096 and evolving strains such as KaWaLocker 2.0 can empower defenders to anticipate tactics and strengthen perimeter defenses. In an environment where encryption-based attacks are becoming more targeted and destructive, proactive collaboration and investment in advanced detection technologies will be essential to mitigate risk and preserve business continuity.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Ransomware incidents in Japan during the first half of 2025