During the first half of 2025, Japan experienced a significant increase in ransomware attacks, with a 1.4-fold rise compared to the previous year, totaling 68 confirmed incidents. The primary victims were small and medium-sized enterprises (SMEs), with the manufacturing sector being the most heavily targeted. The ransomware group Qilin was identified as the most active adversary, responsible for eight attacks. Additionally, a new ransomware group named Kawa4096 emerged in late June 2025, focusing on Japanese companies. The threat landscape also includes the KaWaLocker ransomware family, which employs sophisticated encryption methods such as Salsa20. KaWaLocker 2.0, an enhanced version, has been observed with improved features, likely increasing its effectiveness and evasion capabilities. The attacks often involve double-extortion tactics, where attackers not only encrypt data but also exfiltrate sensitive information to pressure victims into paying ransoms. The tactics, techniques, and procedures (TTPs) associated with these ransomware campaigns include initial access via phishing (T1566), execution of malicious code (T1059.003), credential dumping (T1003), defense evasion (T1070.001), and data encryption (T1486). The evolution and intensification of these ransomware activities underscore the urgent need for robust cybersecurity measures across multiple industries in Japan. Although the current data focuses on Japan, the technical sophistication and targeting patterns of these ransomware groups present potential risks to similar sectors globally, including Europe.

For European organizations, particularly SMEs in manufacturing and related sectors, this ransomware threat represents a growing risk due to the demonstrated targeting of similar business profiles in Japan. The use of advanced encryption algorithms like Salsa20 and double-extortion tactics could lead to severe operational disruptions, financial losses from ransom payments, reputational damage, and potential regulatory penalties under GDPR if personal or sensitive data is compromised. The emergence of new ransomware variants such as KaWaLocker 2.0 indicates an ongoing evolution in attack sophistication, which could bypass traditional defenses. European companies with supply chain or business relationships with Japanese firms may also face indirect impacts. Furthermore, the ransomware groups’ use of multiple TTPs suggests that attacks can be multi-faceted, involving social engineering, lateral movement, and persistence, increasing the difficulty of detection and remediation. The medium severity rating reflects the current scope limited to Japan but warns of potential spillover risks to Europe, especially if these groups expand their targeting or if similar vulnerabilities exist in European SMEs.

European organizations should implement targeted, proactive measures beyond generic advice: 1) Conduct thorough risk assessments focusing on SME manufacturing environments to identify specific vulnerabilities exploited by ransomware groups like Qilin and Kawa4096. 2) Enhance email security with advanced phishing detection and user training tailored to recognize social engineering tactics used in these campaigns. 3) Deploy endpoint detection and response (EDR) solutions capable of identifying behaviors associated with KaWaLocker, including unusual encryption activity and process injection techniques. 4) Implement network segmentation to limit lateral movement and contain infections. 5) Regularly back up critical data with immutable storage solutions and verify backup integrity to ensure recovery without ransom payment. 6) Monitor for indicators of compromise (IOCs) such as the provided file hashes and network indicators linked to these ransomware families. 7) Apply strict access controls and multi-factor authentication to reduce credential theft risks. 8) Collaborate with industry information sharing groups to stay updated on emerging threats and share intelligence. 9) Develop and rehearse incident response plans specifically addressing double-extortion ransomware scenarios to minimize downtime and data leakage. 10) Consider threat hunting exercises focused on TTPs like credential dumping, defense evasion, and persistence techniques used by these adversaries.