• Home
  • cyber
  • JanaWare: New ‘JanaWare’ ransomware targeting Turkish citizens as cybercriminal ecosystem fragments
cyber Ransomware

JanaWare: New ‘JanaWare’ ransomware targeting Turkish citizens as cybercriminal ecosystem fragments

Jan 1, 2020 2 min read
JanaWare: New ‘JanaWare’ ransomware targeting Turkish citizens as cybercriminal ecosystem fragments

JanaWare Ransomware Targets Turkey in Low-Cost, High-Volume Campaign

Cybersecurity firm Acronis has uncovered a localized ransomware campaign, JanaWare, specifically targeting users in Turkey since 2020. The operation employs a geofenced malware strain that restricts execution to systems with Turkish language settings and IP addresses within the country, ensuring it evades broader detection.

JanaWare follows a low-value, high-volume model, demanding ransoms of $200–$400 far below typical ransomware demands. The campaign primarily affects home users and small-to-medium businesses, with infections spread via phishing emails containing malicious Java archives. Attack chains often begin with Adwind malware, a heavily obfuscated strain designed to bypass security analysis.

Victims receive Turkish-language ransom notes embedded in the malware, instructing them to contact attackers via qTox, a decentralized chat platform. Acronis cited a confirmed case where a user’s files were encrypted after opening a Google Drive-linked email in Microsoft Outlook. The malware verifies the victim’s location before proceeding, reinforcing its Turkey-exclusive targeting.

The regional focus has likely helped JanaWare operate undetected for years, demonstrating how localized ransomware campaigns can persist quietly in the threat landscape. Acronis noted that the geographic restrictions also hinder international researchers from analyzing the malware, suggesting a deliberate, non-opportunistic strategy.

The report emerges amid broader shifts in the ransomware ecosystem. The FBI identified 63 new ransomware variants in 2025, linked to over $32 million in losses, while TRM Labs found a 94% increase in new strains (93 in 2025 vs. 48 in 2024). Despite a drop in blockchain-linked ransomware payments from $1.9 billion in 2024 to $1.3 billion in 2025 activity is expanding beyond traditional safe havens like Russia. Law enforcement now sees opportunities to disrupt gangs due to weaker operational security and traceable laundering infrastructure, though the long-term impact remains uncertain.

Source: https://therecord.media/new-janaware-ransomware-targeting-turkey

Acronis cybersecurity rating report: https://www.rankiteo.com/company/acronis

"id": "ACR1776198223",
"linkid": "acronis",
"type": "Ransomware",
"date": "1/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'location': 'Turkey',
                        'type': ['Home users', 'Small-to-medium businesses']}],
 'attack_vector': 'Phishing emails',
 'data_breach': {'data_encryption': 'Yes', 'type_of_data_compromised': 'Files'},
 'date_detected': '2020',
 'description': 'Cybersecurity firm Acronis has uncovered a localized '
                'ransomware campaign, JanaWare, specifically targeting users '
                'in Turkey since 2020. The operation employs a geofenced '
                'malware strain that restricts execution to systems with '
                'Turkish language settings and IP addresses within the '
                'country, ensuring it evades broader detection. JanaWare '
                'follows a low-value, high-volume model, demanding ransoms of '
                '$200–$400, far below typical ransomware demands. The campaign '
                'primarily affects home users and small-to-medium businesses, '
                'with infections spread via phishing emails containing '
                'malicious Java archives. Attack chains often begin with '
                'Adwind malware, a heavily obfuscated strain designed to '
                'bypass security analysis.',
 'impact': {'data_compromised': 'Files encrypted',
            'financial_loss': '$32 million (broader ransomware ecosystem, not '
                              'specific to JanaWare)'},
 'initial_access_broker': {'entry_point': 'Phishing emails (Google '
                                          'Drive-linked emails in Microsoft '
                                          'Outlook)'},
 'lessons_learned': 'Localized ransomware campaigns can persist quietly in the '
                    'threat landscape due to geographic restrictions, '
                    'hindering international detection and analysis.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': 'Geofenced malware targeting '
                                           'Turkish systems, phishing emails '
                                           'with malicious Java archives, and '
                                           'use of Adwind malware for '
                                           'evasion.'},
 'ransomware': {'data_encryption': 'Yes',
                'ransom_demanded': '$200–$400',
                'ransomware_strain': 'JanaWare'},
 'references': [{'source': 'Acronis'},
                {'source': 'FBI'},
                {'source': 'TRM Labs'}],
 'response': {'third_party_assistance': 'Acronis'},
 'threat_actor': 'JanaWare',
 'title': 'JanaWare Ransomware Targets Turkey in Low-Cost, High-Volume '
          'Campaign',
 'type': 'Ransomware'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.