A ransomware strain called JanaWare has been quietly targeting citizens and small businesses in Turkey since at least 2020, researchers from Acronis Threat Research Unit (TRU) revealed this week. The malware's most distinctive feature — enforcing geofencing checks that abort execution on any non-Turkish system — kept it almost entirely off the radar of the international cybersecurity community for nearly six years.
The Geofencing Evasion Technique
JanaWare does not execute on any system where the locale, language, or country settings do not match a Turkish environment. Before beginning encryption, the malware performs two independent checks:
- System locale check — Inspects Windows regional settings, system language, and country configuration. If the system is not configured for Turkey, execution halts.
- External IP geolocation — Queries a public IP lookup API and verifies that the returned country code begins with "TR". Even if a sandbox analyst configures a Turkish system locale, the geolocation check will detect that the analysis environment is hosted outside Turkey and abort.
This layered approach serves dual purposes: precise geographic targeting of the intended victim population and near-perfect sandbox evasion — since most automated malware analysis infrastructure is hosted in the US, Europe, or Asia. An international security researcher running JanaWare in a standard sandbox would observe nothing, filing it as a non-executing or benign sample.
Technical Architecture
JanaWare is delivered as a post-compromise plugin to the Adwind RAT — a cross-platform Java-based remote access trojan active since 2013, also known as AlienSpy, Frutas, Unrecom, Sockrat, and JSocket. The name "JanaWare" comes from the "JANAWARE" string the malware uses during its C2 handshake.
Key technical characteristics:
| Feature | Detail |
|---|---|
| Language | Java (cross-platform) |
| Delivery | Adwind RAT plugin post-compromise |
| Obfuscation | Heavy obfuscation, dynamic module loading |
| Polymorphism | Self-modifying binaries — unique hash per infection |
| C2 | Exclusively via Tor |
| Persistence | Registry-based (configurable STARTUP_TYPE) |
| File operations | Encrypt, delete, and exfiltrate files across all drives |
The ransom note uses the filename _ONEMLI_NOT_ — the Turkish phrase for "Important Note" — followed by a randomized suffix, reinforcing the deliberate cultural and geographic targeting.
Why It Stayed Hidden for Six Years
Several factors allowed JanaWare to operate in near-total obscurity:
- Regional focus: Most global threat intelligence focuses on high-volume campaigns targeting English-speaking markets or major economies. Turkey-specific campaigns are underrepresented in telemetry.
- Polymorphic design: Each infection produces a binary with a unique hash, defeating signature-based detection and making cluster analysis harder.
- Tor C2: All command-and-control communications route through Tor, preventing network-based attribution or takedown.
- Small victim pool: Targeting home users and SMBs in a single country limits the probability of an infected machine being submitted to a major threat intelligence platform.
The Acronis TRU researchers note that a sample compiled in November 2025 confirmed active C2 infrastructure, meaning the operation was still running at the time of discovery.
Cybercriminal Ecosystem Fragmentation
The Record's coverage of JanaWare frames it within a broader trend: the fragmentation of the cybercriminal ecosystem. While major Ransomware-as-a-Service (RaaS) groups like LockBit, BlackCat, and Clop dominate headlines, a growing number of smaller, geographically isolated operations are running independently — flying below the detection threshold of international law enforcement and threat intelligence agencies.
These "micro-campaigns" share several characteristics:
- Deliberately narrow geographic targeting to avoid global attention
- Independent development outside major RaaS affiliate programs
- Sustained operations measured in years, not months
- Victims who may lack access to incident response resources comparable to large enterprise targets
File recovery without access to the C2 infrastructure is not feasible for JanaWare victims, as the decryption keys are held server-side and only accessible via the Tor-based C2.
Indicators and Detection
Organizations and endpoint security vendors should update detection rules to cover:
- Java-based payloads that perform locale and external IP geolocation checks before executing
- Adwind/AlienSpy/JSocket RAT variants used as delivery mechanisms
- Tor network connections initiated from Java processes
- Registry modifications consistent with
STARTUP_TYPEpersistence mechanism - Ransom note files matching pattern
_ONEMLI_NOT_* - C2 beacon handshakes containing "JANAWARE" strings
Turkish organizations in particular should ensure endpoint detection and response (EDR) solutions are deployed and configured to catch Java-based ransomware, which can bypass traditional antivirus solutions that focus on native Windows executables.