Full Report
ASEC Blog publishes Ransom & Dark Web Issues Week 1, July 2025 A new ransomware group named Kawa4096 Tonga’s Ministry of Health hit by INC RANSOM ransomware attack User data from three cryptocurrency exchanges in Austria, globally, and South Korea traded on two cybercrime forums
Analysis Summary
# Incident Report: Ransomware Activity and Data Leaks (Week 1, July 2025)
## Executive Summary
The first week of July 2025 saw the emergence of a new ransomware group, Kawa4096, alongside significant data compromise incidents, notably the ransomware attack against Tonga's Ministry of Health. Furthermore, user data from multiple cryptocurrency exchanges in Austria, globally, and South Korea was observed being traded on cybercrime forums, highlighting widespread data exfiltration impacting financial institutions.
## Incident Details
- Discovery Date: July 03, 2025 (Publication Date of summary report)
- Incident Date: Occurrences throughout the period leading up to July 3, 2025.
- Affected Organization: Tonga’s Ministry of Health; Three Cryptocurrency Exchanges (Austria, Global, South Korea).
- Sector: Government/Public Health, Financial Services (Cryptocurrency).
- Geography: Tonga, Austria, South Korea, Global.
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly stated for most incidents, but observed activity led to the reported impacts.
- Vector: Ransomware deployment (Tonga MOH); Exploitation leading to data theft (Crypto Exchanges).
- Details: The summary indicates reports of Kawa4096 activity and a specific INC RANSOM attack on Tonga's MoH.
### Lateral Movement
- Not detailed in the summary, but implied in successful ransomware deployment (Tonga MOH).
### Data Exfiltration/Impact
- **Tonga MOH:** Hit by INC RANSOM ransomware attack.
- **Crypto Exchanges:** User data from exchanges in Austria, globally, and South Korea was traded on cybercrime forums.
### Detection & Response
- **Detection:** Incidents were detected via publication on ASEC monitoring services and observation on cybercrime forums (July 03, 2025, for the summary).
- **Response actions taken:** Not detailed in the summary provided; focus is on observation and reporting.
## Attack Methodology
*Note: Specific technical details for Kawa4096 and the crypto exchange breaches are limited to the high-level categorization provided in the source document.*
- Initial Access: Ransomware deployment (Tonga MOH using **INC RANSOM**).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Implied during data encryption/impact phase.
- Collection: User data harvested from cryptocurrency exchanges.
- Exfiltration: Data traded on cybercrime forums (Crypto exchange breaches).
- Impact: System unavailability/encryption (Tonga MOH); Data exposure (Crypto Exchanges).
## Impact Assessment
- Financial: Potential financial impact from ransomware negotiation/cleanup (Tonga MOH); Direct financial harm/fraud risk for cryptocurrency users.
- Data Breach: User data harvested from three separate cryptocurrency exchanges.
- Operational: Disruption to Tonga's Ministry of Health operations due to ransomware.
- Reputational: Negative impact on the affected cryptocurrency exchanges and the Tongan government.
## Indicators of Compromise
*IOCs are not provided in the source material, requiring subscription to ASEC TIP for access.*
- Network indicators: None provided.
- File indicators: None provided (Associated with new ransomware group Kawa4096).
- Behavioral indicators: Encryption activity associated with INC RANSOM at Tonga MOH.
## Response Actions
- Containment measures: Not specified.
- Eradication steps: Not specified.
- Recovery actions: Not specified.
*The provided text focuses on threat intelligence reporting rather than organizational incident response.*
## Lessons Learned
- The cybercrime ecosystem remains highly active, with new threat actors emerging (Kawa4096).
- Critical infrastructure, such as public health ministries (Tonga MOH), remains a viable target for financially motivated ransomware groups (INC RANSOM).
- Cryptocurrency platforms continue to be targeted for large-scale user data theft sensitive to trading on the Dark Web.
## Recommendations
- Organizations, especially critical infrastructure and financial services, must immediately review and strengthen defenses against known ransomware strains like INC RANSOM.
- Cryptocurrency exchanges must implement stringent access controls and data protection policies to prevent the bulk harvesting and subsequent sale of user PII/trading data.
- Organizations should proactively monitor threat intelligence feeds (such as ASEC TIP) for newly identified ransomware groups like Kawa4096.