A new ransomware variant called KawaLocker (KAWA4096) was recently observed in an attack. The threat actor gained initial access via RDP using a compromised account and employed various tools to disable security measures. HRSword, a monitoring tool, was deployed along with kernel drivers sysdiag.sys and hrwfpdr.sys. The attacker used PsExec to enable RDP on additional endpoints. KawaLocker ransomware was then deployed against the E:\ volume, encrypting files and leaving a ransom note. Post-encryption, the attacker deleted Volume Shadow Copies, cleared Windows Event Logs, and removed the ransomware executable. The incident highlights the importance of detecting and remediating such attacks promptly.