A Low-Profile, Geographically Restricted Campaign
Cybersecurity firm Acronis has published research detailing a ransomware strain called JanaWare that has been quietly operating against targets in Turkey since 2020. Unlike large-scale ransomware operations that cast a wide net, JanaWare enforces strict execution constraints tied to the victim's system locale and external IP geolocation — the malware will only proceed if it determines the targeted machine is located within Turkey.
Ransom demands are deliberately kept low, typically ranging between $200 and $400, suggesting the threat actors behind the campaign have adopted a low-value, high-volume strategy rather than hunting for large corporate payouts. Acronis noted that the campaign has primarily victimized home users and small to medium-sized businesses.
"Despite evidence suggesting the campaign has been active for several years, its regional focus and relatively small-scale operations likely helped it remain largely unnoticed. This case demonstrates how targeted, localized ransomware campaigns can quietly persist in the threat landscape."
How JanaWare Infects Its Victims
The attack chain typically begins with phishing emails delivering malicious Java archives. The initial infection vector involves a malware strain known as Adwind, which Acronis described as containing several features designed to "hinder detection and analysis, including heavy obfuscation."
In several analyzed incidents, the compromise started when a victim opened an email in Microsoft Outlook. The email contained a Google Drive link that, once clicked, triggered a process leading to the download of a malicious file. Acronis also referenced a victim report found on a public forum confirming that device files were encrypted after opening an email through Outlook.
Geographic and Language Checks
Before encrypting any files, the malware performs verification steps — checking the victim's system language, country settings, and physical location. Only systems configured for the Turkish language and located within Turkey will proceed through the attack chain. According to Acronis, this deliberate design has a dual purpose: it ensures the malware operates only in its intended environment, and it makes analysis significantly harder for international security researchers who lack access to Turkish-locale systems.
The ransom note itself is written entirely in Turkish and is embedded directly within the malware binary — another indicator that this is a tightly focused, geographically defined campaign rather than an opportunistic one. Victims are directed to contact the attackers via qTox, a free, decentralized messaging platform that runs over the Tox peer-to-peer network, providing the operators with an additional layer of anonymity.
Part of a Broader Fragmentation Trend
The Acronis findings arrive at a moment when the global ransomware landscape is undergoing significant structural change. Law enforcement actions and high-profile disruptions have fractured several large ransomware operations, leading to a proliferation of smaller, more diverse groups.
Last week, the FBI disclosed that it had identified 63 new ransomware variants responsible for more than $32 million in losses during the past year. A ransomware report published on April 8 by TRM Labs reinforced that picture, finding that while ransomware-linked transaction volume on the blockchain dropped from $1.9 billion in 2024 to $1.3 billion in 2025, a total of 93 new ransomware variants emerged last year — representing a 94% increase compared to 2024.
TRM Labs also found that ransomware activity is no longer concentrated solely in Russia and other jurisdictions that lack extradition treaties with the United States, with operators increasingly appearing in regions where law enforcement cooperation is more feasible.
Fragmentation as Both Threat and Opportunity
Ari Redbord, global head of policy at TRM Labs, offered a nuanced view of what the fragmentation means for defenders and law enforcement:
"What we saw in 2025 is a ransomware ecosystem that is more fragmented than ever — but that fragmentation is also creating real vulnerabilities. The old playbook of brand-level takedowns is less effective against 161 variants — but for the first time, we're seeing operators in reachable jurisdictions, weaker service layers exposed, and a laundering infrastructure that is far more traceable than actors assume."
Redbord further noted that intelligence gathered from past leaks and law enforcement seizures has positioned authorities to disrupt ransomware operations "at a scale we haven't seen before," adding: "The question for 2026 is whether that window gets used."
Implications for Defenders
The JanaWare case highlights several important considerations for the security community. First, region-specific ransomware campaigns can sustain themselves for years by deliberately staying beneath the radar of international researchers. Second, the combination of low ransom demands and high volume means victims may be less likely to report incidents, allowing operators to continue undetected.
- Organizations and individuals in Turkey should be particularly vigilant about phishing emails containing links to file-sharing services like Google Drive.
- Security teams should ensure endpoint detection tools can identify Java-based malware loaders such as Adwind, even when heavily obfuscated.
- The use of decentralized communication platforms like qTox for ransom negotiations makes takedowns more complex and underscores the need for behavioral detection rather than relying solely on infrastructure blocking.
As the broader cybercriminal ecosystem continues to splinter into smaller, regionally focused groups, JanaWare serves as a reminder that the threat landscape extends well beyond the headline-grabbing gangs — and that localized campaigns deserve equal attention from both defenders and policymakers.
Source: The Record