Windows Management Instrumentation Exploited by New KAWA4096 Ransomware to Erase Shadow Copies

June 2025 has witnessed the emergence of a formidable new ransomware, KAWA4096, which exploits Windows Management Instrumentation (WMI) to erase shadow copies and maximize its destructive impact on victims.

Security experts at SpiderLabs have been actively monitoring KAWA4096, which, in less than a month, has targeted at least 11 organizations across the United States and Japan.

Technical Innovations in KAWA4096

KAWA4096 distinguishes itself through a sophisticated multi-threaded architecture and an array of detection evasion techniques.

The ransomware loads its operational configuration directly within its binary using the LoadResource API, which defines the applications and services to be terminated, targeted directories, file extensions to skip, and processes to kill.

This configuration-driven approach allows KAWA4096 to remain flexible and easily adaptable.

Once executed, KAWA4096 ensures only a single instance runs by creating a mutex named SAY_HI_2025. If launched without parameters, it automatically relaunches itself with the “-all” switch to ensure comprehensive execution.

It subsequently scans the infected environment, targeting both local and network-shared drives using a pool of worker threads. The number of threads, ten, in the analyzed sample, can be set in its configuration, maximizing encryption speed and system impact.

A notable feature is KAWA4096’s targeted approach in shutting down processes and services crucial to backup, database, and security operations, including those related to Acronis, Veeam, SQL Server, SAP, and Sophos.

The ransomware interacts with the Windows Service Control Manager (SCM) API to identify and stop these services, crippling data protection and restoration efforts.

WMI Abuse and Data Destruction

KAWA4096 takes an aggressive stance towards shadow copies, critical for system recovery by issuing commands like vssadmin.exe Delete Shadows /all /quiet . wmic shadowcopy delete /nointeractive Through WMI interfaces.

This double-pronged strategy ensures that Windows’ built-in recovery mechanisms are neutralized before file encryption begins. Further post-encryption, the ransomware can self-delete, covering its tracks and complicating forensic analysis.

The ransomware encrypts files while skipping essential system files, program folders, and specific extensions.

It also modifies the desktop wallpaper (solid black in observed cases) and changes icons of encrypted files to mimic SQL Monitor, a subtle touch aimed at confusion and disruption.

Mimicking established ransomware groups, KAWA4096’s ransom note borrows heavily from Qilin, with its data leak site visually and textually echoing Akira. These choices suggest an effort to capitalize on existing notoriety and instill additional fear.

Defensive Measures Recommended

Organizations are advised to maintain robust security hygiene, disable unnecessary services, restrict WMI access, and continually monitor for suspicious process executions.

Trustwave’s suite of detection rules and threat-hunting solutions provides advanced capabilities to spot KAWA4096’s behaviors, especially its hallmark use of WMI and system service disruptions.

As KAWA4096 ramps up operations, targeted sectors must stay vigilant, institute robust backup strategies, and ensure rapid patching and endpoint defenses to combat this growing threat.

IOCs