CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Long-running low-value ransomware campaign against Turkish SMBs and consumers uncovered

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A sustained ransomware campaign operating since at least 2020 has targeted Turkish individuals and small-to-medium businesses (SMBs) with low-dollar demands between $200 and $400 per victim. The operation uses a phishing email leading to a cloud-hosted Java archive containing a modified Adwind RAT variant, which establishes persistence, disables defenses, and drops a ransomware module named JanaWare. Geofencing ensures execution only on systems with Turkish language settings, minimizing collateral exposure. The campaign’s high-volume, low-value approach exploits weaker defenses in SMBs and individuals, enabling steady revenue while evading broader detection and response efforts.

Timeline

  1. 16.04.2026 09:00 1 articles · 23h ago

    Six-year JanaWare ransomware campaign targeting Turkish SMBs and consumers disclosed

    A low-value, high-volume ransomware campaign has been active since at least 2020, targeting Turkish individuals and SMBs with demands of $200–$400. Attackers used phishing emails leading to a Java archive hosting a modified Adwind RAT variant, which established persistence, disabled defenses, and delivered the JanaWare ransomware module. Geofencing ensured execution only on systems with Turkish language settings in Turkey, minimizing exposure and enabling sustained operations.

    Show sources
    Open in new tab

Information Snippets

  • The campaign has been active since at least 2020, utilizing a modified Adwind RAT variant to deliver a ransomware payload named JanaWare.

    First reported: 16.04.2026 09:00
    1 source, 1 article
    Show sources

  • Initial access is achieved via phishing emails directing victims to a cloud-hosted Java archive hosting the malicious payload.

    First reported: 16.04.2026 09:00
    1 source, 1 article
    Show sources

  • The malware performs geofencing checks to ensure execution only on systems with Turkish language settings and located in Turkey.

    First reported: 16.04.2026 09:00
    1 source, 1 article
    Show sources

  • Post-compromise actions include disabling Microsoft Defender, blocking Windows updates, suppressing security notifications, and removing data recovery options.

    First reported: 16.04.2026 09:00
    1 source, 1 article
    Show sources

  • Ransom demands range from $200 to $400, aligning with a high-volume, low-value monetization strategy targeting SMBs and consumers.

    First reported: 16.04.2026 09:00
    1 source, 1 article
    Show sources

  • JanaWare ransomware is deployed as a plug-in following system compromise and persistence establishment by the Adwind RAT variant.

    First reported: 16.04.2026 09:00
    1 source, 1 article
    Show sources

  • The campaign’s longevity and scale are attributed to underreporting in smaller-target incidents, enabling persistence with minimal disruption.

    First reported: 16.04.2026 09:00
    1 source, 1 article
    Show sources