TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Kawabunga, Dude, You’ve Been Ransomed!

2025-08-14 · Read original ↗

ATT&CK techniques detected

14 predictions
T1486Data Encrypted for Impact
99%
“kawabunga, dude, you ’ ve been ransomed! huntress analysts recently observed an incident where a newer ransomware variant, kawalocker ( also known as kawa4096 ) ransomware, was deployed. it ’ s not unusual for new ransomware variants to pop up on the huntress soc radar. about a y…”
T1486Data Encrypted for Impact
99%
“extend their reach by enabling rdp on additional endpoints within the infrastructure, likely so that they could log in to each one, and repeat their efforts to manually deploy ransomware, or at the very least, be able to access the endpoints listed in the file 1. txt via rdp shou…”
T1486Data Encrypted for Impact
98%
“excerpt of which is illustrated in figure 2. figure 2 : excerpt of ransom note the email address listed at the end of the ransom note is kawa4096 @ onionmail [. ] org, which is likely from where the reference to kawa4096 originated. after the threat actor deployed the ransomware,…”
T1021.001Remote Desktop Protocol
97%
“similar design to the leak site of akira, while its ransom note is nearly identical to that of qilin. however, spiderlabs analysts felt that this was in an effort to increase their visibility and not due to any direct collaboration. initial access and hrsword on august 8, we saw …”
T1486Data Encrypted for Impact
96%
“investigation, and response to this endpoint, huntress analysts were able to prevent the threat actor from accessing other endpoints, including those for which enabling rdp had been attempted. this response obviated further impact to the victim ’ s infrastructure. when huntress a…”
T1021.001Remote Desktop Protocol
95%
“investigation, and response to this endpoint, huntress analysts were able to prevent the threat actor from accessing other endpoints, including those for which enabling rdp had been attempted. this response obviated further impact to the victim ’ s infrastructure. when huntress a…”
T1080Taint Shared Content
87%
“extend their reach by enabling rdp on additional endpoints within the infrastructure, likely so that they could log in to each one, and repeat their efforts to manually deploy ransomware, or at the very least, be able to access the endpoints listed in the file 1. txt via rdp shou…”
T1080Taint Shared Content
83%
“investigation, and response to this endpoint, huntress analysts were able to prevent the threat actor from accessing other endpoints, including those for which enabling rdp had been attempted. this response obviated further impact to the victim ’ s infrastructure. when huntress a…”
T1543.003Windows Service
81%
“##psfx. 000 \ hrsword. bat the threat actor was then observed running tasklist. exe piped through a find command to locate specific tooling of interest, and then deploying tools to disable those security tools. shortly after, the windows services associated with those installed s…”
T1219Remote Access Tools
49%
“investigation, and response to this endpoint, huntress analysts were able to prevent the threat actor from accessing other endpoints, including those for which enabling rdp had been attempted. this response obviated further impact to the victim ’ s infrastructure. when huntress a…”
T1021.001Remote Desktop Protocol
47%
“extend their reach by enabling rdp on additional endpoints within the infrastructure, likely so that they could log in to each one, and repeat their efforts to manually deploy ransomware, or at the very least, be able to access the endpoints listed in the file 1. txt via rdp shou…”
T1021.001Remote Desktop Protocol
41%
“that develops hrsword, per a linkedin post on the tool by cyber intrusion analyst mikelle bandin. figure 1 : sysdiag. sys driver file version information early in their logon session, the threat actor had run advanced _ port _ scanner. exe, likely as a means of enumeration of dev…”
T1569.002Service Execution
40%
“##psfx. 000 \ hrsword. bat the threat actor was then observed running tasklist. exe piped through a find command to locate specific tooling of interest, and then deploying tools to disable those security tools. shortly after, the windows services associated with those installed s…”
T1490Inhibit System Recovery
35%
“excerpt of which is illustrated in figure 2. figure 2 : excerpt of ransom note the email address listed at the end of the ransom note is kawa4096 @ onionmail [. ] org, which is likely from where the reference to kawa4096 originated. after the threat actor deployed the ransomware,…”

Summary

Thanks in large part to our customer base, Huntress sees a great deal of interesting activity, particularly from threat actors (but also from admins). Part of that activity includes not just ransomware variants that Huntress hasn’t seen before, but also variants that may not have been documented via any public means. Further, when these incidents occur, Huntress very often gets a detailed look at the threat actor’s activity, including commands and their timing.