JanaWare Ransomware Targets Turkey with Low Ransom Demands, High Volume Attacks
A new ransomware strain dubbed JanaWare is actively targeting users in Turkey, employing a low-value, high-volume approach with ransom demands between $200 and $400. The attacks, ongoing since 2020, leverage the **Adwind** Remote Access Trojan (RAT) and focus specifically on Turkish-speaking systems.
Cybersecurity firm **Acronis** has uncovered a targeted ransomware campaign affecting users in Turkey. The ransomware, named **JanaWare**, has been operating since 2020, primarily impacting home users and small to medium-sized businesses.
### Regional Focus and Evasion
Researchers at **Acronis** highlight the campaign's deliberate focus on Turkey, which has allowed it to remain largely unnoticed. The malware includes checks for system locale and language, ensuring it only executes on systems configured for the Turkish language and location. This regional targeting not only limits exposure but also hinders analysis by international security researchers.
### Infection Vector and Technical Details
The attacks typically begin with phishing emails containing malicious Java archives. These emails often leverage **Microsoft Outlook**, with a **Google Drive** link leading to the download of a malicious file. The initial infection involves the **Adwind** RAT, known for its obfuscation techniques designed to evade detection.
### Ransom Demands and Communication
The ransom notes, written in Turkish, instruct victims to contact the attackers via qTox, a decentralized chat platform operating over the Tox peer-to-peer network. The low ransom demands suggest a strategy of targeting a large number of victims with smaller payouts.
### Fragmentation of the Ransomware Landscape
This **JanaWare** campaign emerges amidst a broader trend of fragmentation within the ransomware ecosystem. Following disruptions of larger ransomware gangs, the number of new ransomware variants has increased significantly. An **FBI** report recently identified 63 new ransomware variants causing over $32 million in losses last year.
A report by **TRM Labs** further supports this trend, noting a 94% increase in new ransomware variants in 2025 compared to 2024, despite an overall decrease in ransomware-linked volume on the blockchain.
Ari Redbord, global head of policy at **TRM Labs**, suggests this fragmentation presents new opportunities for law enforcement to disrupt ransomware operations, particularly with operators in more reachable jurisdictions and more traceable laundering infrastructures.
html
<a rel="noopener" href="https://www.recordedfuture.com/?utm_source=therecord&utm_medium=ad"><figure><img src="https://cms.therecord.media/uploads/2025_0514_Record_Ads_970x250_1_d144dbf901.png" data-nimg="1" decoding="async" height="500" width="1000" alt="Recorded Future"></figure></a>
