Cybercriminals are using a new ransomware strain known as JanaWare to target individuals and small businesses in Turkey, according to a report from cybersecurity firm Acronis.
Researchers discovered the operation has been active since 2020. The malware employs execution constraints based on system locale and external IP geolocation to ensure it only infects systems located within Turkey.
Acronis researchers noted the campaign's regional focus and small-scale nature likely allowed it to remain unnoticed for years. The hackers appear to be pursuing a low-value, high-volume strategy, with ransom demands ranging between $200 and $400.
Targeted infection vectors
The attacks primarily target home users and small to medium-sized businesses. Most victims are infected via phishing emails containing malicious Java archives.
Acronis found that the ransomware often follows an initial infection by a malware strain called Adwind. This precursor malware uses heavy obfuscation to hinder detection and analysis by security software.
In several analyzed incidents, the attack chain began with emails read through Microsoft Outlook. A Google Drive link within these emails triggered a process that downloaded the malicious payload.
The JanaWare ransom notes are written in Turkish and instruct victims to contact the attackers via qTox, a decentralized chat platform operating over the Tox peer-to2 network. The ransom note is embedded directly within the malware itself.
This localized approach also serves to limit the ability of international security researchers to examine the threat. Acronis stated the geographic scope suggests the campaign is a targeted operation rather than an opportunistic one.
This emergence of JanaWare occurs as the broader ransomware ecosystem undergoes fragmentation. Following the disruption of several major ransomware gangs, the FBI recently identified 63 new ransomware variants that caused over $32 million in losses last year.
Data from TRM Labs shows that while blockchain-linked ransomware volume fell from $1.9 billion in 2024 to $1.3 billion in 2025, the number of new variants increased by 94% over the previous year.
"What we saw in 2025 is a ransomware ecosystem that is more fragmented than ever," said Ari Redbord, global head of policy at TRM Labs. Redbord noted that while brand-level takedowns are less effective against a growing number of variants, the fragmentation is creating new opportunities for law enforcement to trace laundering infrastructure.
