A new ransomware strain named JanaWare is actively targeting home users and small to medium-sized businesses primarily in Turkey. This threat leverages a customized version of the Adwind Remote Access Trojan (RAT) as its initial entry vector. The campaign has been noted for its specific geographic focus, relatively low ransom demands, and sophisticated evasion tactics that have allowed it to operate undetected for an extended period.
The attack sequence begins with a phishing email, often containing or linking to a malicious Java Archive (JAR) file hosted on Google Drive. Upon user interaction, typically via Microsoft Outlook, the link directs Chrome to download and execute the JAR file. The execution is handled by `javaw.exe`, creating a seemingly routine process that can bypass basic security monitoring. This integration with legitimate applications aids in the initial stealth of the operation.
Once activated, the JAR file deploys a modified variant of Adwind RAT. Adwind, a well-established Java-based remote access tool, has been repurposed within this campaign to function as a multi-stage loader for the primary ransomware payload. Researchers at the Acronis Threat Research Unit (TRU) identified this threat cluster after observing anomalous activities on Turkish endpoints associated with Adwind. Their analysis revealed that these specific Adwind samples included additional modules and post-exploitation scripts not previously cataloged for the RAT, indicating a significant evolution in its capabilities.
JanaWare Ransomware: A Deep Dive into its Operations
The JanaWare campaign has been active since at least 2020, with evidence suggesting its command-and-control (C2) infrastructure remained operational as of November 2025. This prolonged operational window highlights its effectiveness in evading detection and disruption. The ransomware itself is selectively deployed by the Adwind RAT following a successful compromise. After encrypting files, JanaWare leaves a ransom note in Turkish within multiple directories, typically prefixed with “ONEMLI NOT,” which translates to “Important Note.”
The ransom demands observed in analyzed samples range from $200 to $400 USD, a modest figure compared to ransomware operations that target larger enterprises. This approach suggests a strategy focused on a high volume of smaller payments, targeting individuals and smaller businesses who may be more susceptible to quick payment due to limited recovery resources. Communication with the attackers is exclusively facilitated through the Tor network, using anonymized infrastructure to ensure that C2 traffic is difficult to trace.
Victims are instructed to contact the cybercriminals using qTox, a decentralized peer-to-peer messaging application, or via a dedicated .onion website accessible through the Tor Browser. These communication channels are chosen to circumvent law enforcement monitoring and traditional takedown efforts, further enhancing the attackers’ anonymity and operational security. The use of Tor for all encryption-phase communications adds another layer of complexity for investigators attempting to track the perpetrators.
A key element of JanaWare’s evasion strategy is its advanced geofencing and self-modification capabilities. Before initiating any malicious actions, the malware performs checks on the system’s locale, language settings, and the geolocation of its external IP address. The ransomware only proceeds if the environment matches Turkish language settings and the IP address confirms a connection originating from Turkey. This targeted approach effectively renders the ransomware invisible to most international security researchers and automated sandbox environments, as it simply terminates when executed outside its designated region.
Beyond geofencing, JanaWare employs two publicly known Java obfuscators, Stringer and Allatori, to significantly complicate code reverse-engineering efforts. Additionally, a class named FilePumper is integrated into the malware, which adds random content to its JAR archive during installation. This process inflates the file size and generates a unique MD5 hash for each infected machine, a technique that effectively neutralizes simple hash-based detection methods and makes the malware polymorphic.
Once the geofencing checks are passed, the malware executes a series of PowerShell and registry commands designed to weaken the system’s defenses prior to the encryption phase. These actions include disabling Microsoft Defender, suppressing security alerts, deleting Volume Shadow Copy (VSS) backups, and disabling Windows Update. The malware also enumerates installed antivirus products to disrupt endpoint protection integrations. Subsequently, it downloads and executes its encryption module, which utilizes AES encryption. The encryption key is transmitted directly to the C2 server over Tor, making file recovery without this key virtually impossible.
To mitigate the risk of JanaWare infection, users and organizations are advised to disable or restrict the execution of the Java Runtime Environment (JRE) on endpoints where it is not essential, and to block the execution of JAR files from untrusted sources. Email security gateways should be configured to flag or quarantine messages containing Google Drive links that are accompanied by executable file types. Network monitoring should be implemented to detect outbound connections to known C2 infrastructure, such as elementsplugin.duckdns.org on ports 49152 and 49153.
Regular, offline backups remain the most effective safeguard against ransomware attacks. In the event of an infection, victims are strongly encouraged to preserve forensic evidence and report incidents to the relevant national CERT or law enforcement agencies before considering any ransom payment. The ongoing evolution of such threats necessitates continuous vigilance and adaptation of security protocols by both individuals and organizations to protect against persistent cybercriminal activities.