JanaWare: The Under-the-Radar Ransomware That Has Been Quietly Targeting Turkey Since 2020

A stealthy ransomware operation known as JanaWare has been silently preying on Turkish internet users for at least five years — and it is still active today.

Unlike the headline-grabbing ransomware gangs that take down hospitals and fuel pipelines, JanaWare operates quietly, deliberately, and close to home. Researchers at Acronis Threat Research Unit (TRU) recently published a deep-dive analysis revealing how the campaign has managed to persist largely undetected by keeping its ambitions small and its focus tight.

At its core, JanaWare is built on a customized variant of the Adwind Remote Access Trojan (RAT) — a notorious Java-based malware framework that has been repurposed here to deliver a targeted ransomware payload. The operation combines polymorphic code, advanced obfuscation, and hard-coded geofencing logic to ensure it only activates on systems located within Turkey, keeping its footprint small and its exposure to international threat researchers minimal.

How the Attack Unfolds

JanaWare infections begin with a familiar but effective tactic: phishing emails sent via Microsoft Outlook. The messages contain links pointing to malicious files hosted on Google Drive, giving them an air of legitimacy. When the victim opens the downloaded Java Archive (JAR) file, the Java Runtime Environment (javaw.exe) executes it, triggering a multi-stage payload that ultimately downloads and deploys the ransomware module.

Once installed, the malware connects to its command-and-control (C2) infrastructure via Tor .onion relays, making the operator’s identity and server locations difficult to trace.

A hard-coded PASSWORD parameter embedded in the malware serves a dual purpose — authenticating the connection and decrypting the downloaded payloads — reflecting a modular, adaptable design that can be updated remotely. Attackers also conduct negotiations with victims over qTox, a decentralized peer-to-peer messaging platform with no central server to seize or subpoena.

Built to Evade Detection

What makes JanaWare technically noteworthy is the degree of effort put into avoiding detection. The Adwind RAT variant at its core uses multiple layers of obfuscation courtesy of tools like Stringer and Allatori, combined with custom class loaders that complicate reverse engineering. More cleverly, a component called FilePumper injects random data into each JAR file before delivery, ensuring that every infection produces a uniquely hashed binary. The practical result is that traditional signature-based antivirus detection is largely ineffective against it.

This polymorphic behavior, combined with the campaign’s deliberate regional focus, is precisely why JanaWare has flown under the radar for so long. As The Record reported, Acronis researchers note that the operation’s small scale and geographic isolation have helped it avoid the kind of attention that typically triggers international law enforcement responses.

Locked to Turkey — By Design

JanaWare’s most distinctive characteristic is its strict geographic enforcement. Before doing anything else, the malware checks three conditions: the system’s locale settings, its display language, and its external IP geolocation. If the result does not confirm a Turkish system (country code “TR”), the malware halts entirely. This is not an accident — it is a deliberate design choice that limits unintended infections and dramatically reduces the chance of the malware being picked up and analysed by researchers outside the region.

Once the geolocation check passes, JanaWare moves quickly. It disables Microsoft Defender, terminates Windows Update, and wipes Volume Shadow Copies to prevent file recovery. It then encrypts files across all available drives using AES encryption before dropping ransom notes — titled “ONEMLI NOT” (Turkish for “Important Note”) — into multiple folders across the infected system.

Low Ransoms, High Volume

The financial model behind JanaWare is telling. Ransom demands are deliberately modest, typically between $200 and $400, which strongly suggests a low-value, high-volume strategy aimed at quick, frictionless payouts from individuals and small businesses rather than the drawn-out negotiations common in enterprise-targeting ransomware campaigns. Victims are primarily home users and small-to-medium-sized businesses (SMBs) — targets less likely to have robust backups, incident response teams, or the resources to resist paying.

According to Acronis TRU, the campaign has been running since at least 2020, with samples compiled as recently as November 2025 confirming the associated infrastructure is still live and operational.

A Symptom of a Fragmenting Ransomware Landscape

JanaWare does not exist in a vacuum. As The Record noted alongside its coverage of the Acronis findings, the broader ransomware ecosystem is increasingly fragmented following the disruption of several large criminal groups. The FBI recently identified 63 new ransomware variants responsible for over $32 million in losses in a single year. Meanwhile, research firm TRM Labs found that while total ransomware-linked blockchain transactions fell from $1.9 billion in 2024 to $1.3 billion in 2025, the number of distinct ransomware variants surged by 94% year-over-year.

JanaWare is a case study in what that fragmentation looks like in practice: smaller, localised operations that deliberately avoid global attention, keep their targets modest, and rely on technical sophistication to persist quietly for years. It is a reminder that ransomware risk is not confined to big enterprises or headline-making attacks — and that geographically focused campaigns can thrive precisely because they stay beneath the threshold of international scrutiny.

Related Articles

Back to top button