{
  "name": "Kawabunga, Dude, You've Been Ransomed!",
  "slug": "kawabunga-dude-youve-been-ransomed",
  "description": "A new ransomware variant called KawaLocker (KAWA4096) was recently observed in an attack. The threat actor gained initial access via RDP using a compromised account and employed various tools to disable security measures. HRSword, a monitoring tool, was deployed along with kernel drivers sysdiag.sys and hrwfpdr.sys. The attacker used PsExec to enable RDP on additional endpoints. KawaLocker ransomware was then deployed against the E:\\ volume, encrypting files and leaving a ransom note. Post-encryption, the attacker deleted Volume Shadow Copies, cleared Windows Event Logs, and removed the ransomware executable. The incident highlights the importance of detecting and remediating such attacks promptly.",
  "published": "2025-08-15T03:29:18+00:00",
  "created_at": "2025-08-15T03:29:18+00:00",
  "modified_at": "2025-08-15T10:38:22+00:00",
  "created_at_opencti": "2025-08-15T03:29:18+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-15",
    "encryption",
    "hrsword",
    "kawa4096",
    "kawalocker",
    "psexec",
    "ransomware",
    "rdp"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "ecca86e9b79d5a391a433d8d782bf54ada5a9ee04038dbaf211e0f087b5dad52"
      },
      {
        "id": "",
        "name": "e4fb852fed532802aa37988ef9425982d272bc5f8979c24b25b620846dac9a23"
      },
      {
        "id": "",
        "name": "db8f4e007187795e60f22ee08f5916d97b03479ae70ad95ad227c57e20241e9d"
      },
      {
        "id": "",
        "name": "11b262c936ffa8eb83457efd3261578376d49d6e789c7c026f1fa0b91929e135"
      },
      {
        "id": "",
        "name": "01a3dabb4684908082cb2ac710d5d42afae2d30f282f023d54d7e945ad3272f5"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:c8a9a9f1c4285931",
        "name": "KaWaLocker",
        "slug": "kawalocker"
      },
      {
        "id": "legacy:malware:f97345cb88233a79",
        "name": "HRSword",
        "slug": "hrsword"
      },
      {
        "id": "aa02d4ea-4e46-4487-97b6-cd7a477a61e4",
        "name": "KAWA4096",
        "slug": "kawa4096"
      }
    ],
    "intrusion_sets": [
      {
        "id": "f1c1bb15-e5d6-4671-8cd0-11e889645e24",
        "name": "KawaLocker",
        "slug": "kawalocker"
      }
    ],
    "attack_patterns": [
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      }
    ]
  },
  "external_refs": [
    "https://www.huntress.com/blog/kawalocker-ransomware-deployed",
    "https://otx.alienvault.com/pulse/689ec5aedd7ae8f9c7f8c654"
  ]
}