A newly published report from Acronis describes a ransomware operation that has likely been running since at least 2020, targeting home users and small or medium-sized businesses (SMBs) across Turkey. Rather than chasing large enterprises, the operators extort many small victims for a few hundred dollars each, demanding between $200 and $400 per infection. Because incidents this small rarely get reported, the campaign appears to have quietly persisted for roughly six years with little disruption.

The economics favor this low-value, high-volume approach. As Santiago Pontiroli, team lead at Acronis' Threat Research Unit (TRU), explains, large enterprise intrusions draw media coverage and law enforcement attention, while minor incidents tend to slip by unnoticed. Smaller victims are also easier to compromise at scale through phishing, usually have weaker defenses, and are more inclined to pay quickly. Spreading effort across many modest targets, he notes, can produce steady income without the cost of pursuing a handful of big ones.

How the attack works

The infection chain is deliberately simple. A target receives an email, clicks through to a file hosted in the cloud, and ends up with a malicious Java archive — a flow that often evades anti-phishing protections. The payload is a custom build of Adwind RAT, a long-lived and heavily forked Java remote access Trojan. It establishes command-and-control, sets itself to launch at startup for persistence, and then runs a series of checks.

The malware's first and strictest test is geographic: it confirms the victim is in Turkey and that the system language is set to Turkish, keeping the operation confined to familiar terrain and away from regions that might invite scrutiny. Once it clears that gate, it works to soften the machine — switching off Microsoft Defender, scanning for other antivirus tools, blocking Windows updates, muting security alerts, and removing options for data recovery. It then deploys its final payload, a ransomware module dubbed "JanaWare," along with a generic ransom note.

None of these techniques are especially advanced, but Pontiroli stresses that small-scale operations can still draw on mature methods such as obfuscation, polymorphism, and anonymized communications — and that their impact shouldn't be dismissed. Compromised SMBs can sit within supply chains or serve other organizations, so even modest ransom demands can ripple outward. The true number of JanaWare victims over the past six years remains unknown, in part because researchers lack the telemetry for individuals and small firms that they have for major enterprises, and ordinary Turkish users are unlikely to submit malware samples for analysis.