A newly identified cyber campaign involving JanaWare ransomware is targeting users in Turkey, with researchers linking the activity to a customized version of the Adwind Remote Access Trojan (RAT). The findings come from an analysis by researchers at Acronis’ Threat Research Unit (TRU), who identified the threat cluster during an investigation into suspicious Java-based malware samples.
According to the researchers, the JanaWare ransomware operation appears to have been active since at least 2020. Evidence from malware samples and infrastructure indicates that the campaign has continued into late 2025, suggesting sustained activity with limited visibility.
The attack relies on a modified Adwind RAT that includes polymorphic capabilities. This allows the malware to change its structure across infections, making detection more difficult. Combined with code obfuscation, these techniques have likely contributed to the campaign remaining relatively unnoticed.
Unlike large ransomware groups that focus on high-value enterprise targets, JanaWare ransomware appears to follow a different strategy. Observed ransom demands range between $200 and $400, pointing to a model that prioritizes volume over large individual payouts.
Phishing Identified as Primary Infection Vector
The JanaWare ransomware campaign primarily spreads through phishing emails. Victims are lured into clicking malicious links, which lead to the download of a Java archive file. In many observed cases, the payload is hosted on cloud storage platforms.
Telemetry data reviewed by researchers shows a consistent attack chain. A phishing email is opened in Microsoft Outlook, followed by a browser session that downloads the malicious file. The file is then executed using Java, triggering the infection.
User reports on public cybersecurity forums also describe similar incidents, supporting the assessment that phishing is the main entry point.
Geofencing Restricts Janaware Ransomware Attacks to Turkey
A key feature of the JanaWare ransomware is its use of geofencing. The malware is designed to execute only on systems that meet specific regional criteria linked to Turkey.
It checks system language, locale settings, and external IP geolocation before proceeding. If the system does not match Turkish parameters, the malicious activity is halted.
Researchers note that this approach likely serves both operational and defensive purposes. It allows attackers to focus on a specific region while reducing exposure to global security monitoring and automated analysis systems.
Obfuscation and Polymorphism Hinder Detection
The JanaWare ransomware incorporates multiple techniques to evade detection. Researchers identified the use of known obfuscation tools such as Stringer and Allatori, alongside custom methods that complicate analysis.
The malware also includes a self-modifying component that alters its file structure during deployment. By adding random data to its Java archive, each instance generates a unique file hash, limiting the effectiveness of signature-based detection.
In addition, the malware contains embedded configuration parameters that control its behavior. These include command-and-control server details, communication ports, and authentication values used during initial connections.
Security Controls Disabled Before Encryption Stage
Before encrypting files, the malware attempts to weaken system defenses. It executes commands to disable Microsoft Defender, suppress security alerts, and remove recovery mechanisms such as Volume Shadow Copies.
It also interferes with Windows Update and scans for installed antivirus software. These steps reduce the likelihood of detection or recovery once the ransomware payload is activated.
The encryption process is carried out by a secondary module delivered after the initial compromise. This module uses AES encryption and communicates with command-and-control infrastructure over the Tor network.
Turkish-Language Ransom Notes Signal Targeted Approach
After encryption, the malware drops ransom notes across affected systems. These notes are written in Turkish and instruct victims to contact the attackers through encrypted communication channels such as qTox or Tor-based websites.
Researchers say the consistent use of Turkish-language content, combined with geofencing, indicates a deliberate focus on users in Turkey rather than a broad, global campaign.
The JanaWare ransomware campaign highlights how targeted, lower-profile operations can persist over long periods without drawing significant attention. By focusing on home users and small businesses, and keeping ransom demands relatively low, the attackers appear to maintain a steady but less visible operation.
Researchers caution that such localized campaigns may continue to operate alongside larger ransomware groups, adding another layer to the evolving threat landscape.
