A novel ransomware variant, dubbed JanaWare, has been discreetly impacting individuals and businesses in Turkey. The ransomware employs a tailored version of the Adwind Remote Access Trojan (RAT) to infiltrate systems, marking a significant threat to digital security in the region.
JanaWare’s Targeted Approach
This ransomware campaign is distinct due to its geographic specificity, moderate ransom demands, and sophisticated evasion tactics that have enabled it to elude detection for an extended period. The attack is initiated through a phishing email containing or linking to a harmful Java Archive (JAR) file hosted on Google Drive.
Upon engaging with the link via Outlook, Chrome automatically accesses the Drive URL, downloading the malicious file that executes on the victim’s computer. This integration of trusted applications deceives both users and fundamental security systems, facilitating the initial infection phase.
Technical Insights and Research Findings
The Acronis Threat Research Unit (TRU) uncovered this threat after analyzing Adwind-based breaches in Turkish systems. Their findings indicated that the Adwind RAT samples involved in this campaign carried additional modules and scripts, not found in earlier versions of the RAT.
The detailed study by Acronis TRU experts Jozsef Gegeny and David Catalan Alegre revealed that JanaWare has been operational since at least 2020, with confirmation that its command-and-control infrastructure remained active as of late 2025.
Operational Tactics and Evasion Techniques
JanaWare functions as a ransomware module dispatched by the Adwind RAT post-compromise. Upon file encryption, it places a Turkish-language ransom note in multiple directories with the prefix “ONEMLI NOT,” translating to “Important Note.” The ransom demands range from $200 to $400 USD, a strategy aimed at securing swift payments from less prepared victims.
All communication during the encryption stage occurs via the Tor network, ensuring anonymity. Victims are instructed to contact attackers through qTox or a designated .onion site, complicating law enforcement efforts.
Defensive Measures and Future Outlook
JanaWare’s evasion strategy includes checking system locale and IP geolocation to confirm Turkish settings before proceeding. This restricts the ransomware’s visibility to international researchers and automated sandboxes.
The malware employs Java obfuscators, Stringer and Allatori, to complicate code analysis and includes a FilePumper class to modify its own JAR archive, creating unique file signatures.
To mitigate JanaWare’s risk, it is advised to limit Java Runtime Environment execution and block untrusted JAR files. Email gateways should scrutinize messages with Google Drive links, and network monitoring should detect connections to known C2 infrastructure. Regular offline backups and reporting any incidents to national CERT or law enforcement are crucial protective steps.
