A ransomware operation has been quietly targeting Turkish home users and small-to-medium businesses (SMBs) for at least six years, according to researchers who have tracked the campaign from its earliest iterations. The group, operating under the JanaWare ransomware family, has sustained its operation largely by staying beneath the threshold of international media coverage — a calculated strategy that has allowed it to persist far longer than many higher-profile ransomware operations.
Why This Campaign Stayed Under the Radar
Major ransomware incidents involving hospitals, pipelines, and critical infrastructure generate immediate government and media attention. Ransomware campaigns that deliberately stay small — targeting home users, freelancers, and micro-businesses — face far less scrutiny.
JanaWare's operators appear to have understood this dynamic from the start. By setting ransom demands in the range accessible to individual consumers and small business owners (typically the equivalent of a few hundred to a few thousand USD), the group maximized the ratio of victims who pay while minimizing the likelihood of triggering law enforcement action or security industry research.
"While enterprise breaches make more headlines, smaller incidents tend to be under-reported, if at all, allowing campaigns to last longer with less disruption." — Dark Reading analysis, April 2026
This approach reflects a pattern increasingly documented in the threat intelligence community: ransomware operators who deliberately avoid targets that would attract attention, instead building a long-term, low-visibility revenue stream from victims who lack the security resources to recover without paying.
Campaign Profile: JanaWare
| Attribute | Detail |
|---|---|
| Active Since | ~2020 (earliest confirmed samples) |
| Primary Targets | Turkish home users, freelancers, micro-businesses, SMBs |
| Geographic Focus | Turkey (domestic victims primarily) |
| Ransom Range | Low-to-mid tier (consumer-accessible amounts) |
| Persistence Mechanism | Scheduled tasks, registry Run keys |
| Delivery Vectors | Phishing emails, cracked software bundles, torrent-distributed fake tools |
| Encryption | AES-256 with RSA-2048 key wrapping |
| Notable TTPs | Turkish-language ransom notes, local payment infrastructure |
Tactics and Delivery
JanaWare samples have been distributed through several channels commonly targeting Turkish internet users:
Cracked Software and Keygen Sites — A primary distribution vector, particularly for small businesses that routinely use unlicensed copies of productivity software. Installers bundled with JanaWare present as legitimate activation tools for popular applications.
Phishing with Turkish-Language Lures — Emails impersonating Turkish government agencies, tax authorities (Gelir İdaresi Başkanlığı / GİB), and domestic e-commerce platforms. Attachments typically use macro-enabled Office documents or ISO/ZIP archives.
Torrent and File-Sharing Networks — Pirated games, utilities, and media files distributed via Turkish-localized file-sharing platforms carry embedded droppers.
Once executed, JanaWare establishes persistence via scheduled tasks and registry Run keys, then enumerates and encrypts files across local and network-mapped drives before displaying a Turkish-language ransom note.
Why SMBs and Home Users Are Vulnerable
The campaign's longevity reflects structural vulnerabilities in the small business and consumer security landscape:
- No dedicated IT security — Home users and micro-businesses rarely have security monitoring tools capable of detecting encryption activity before files are locked
- Irregular or absent backups — Victims without recent offline backups face a genuine choice between paying and losing their data
- Limited incident response resources — Unlike enterprise victims, individuals and SMBs cannot typically engage professional IR firms
- Low reporting rates — Victims often pay quietly, further reducing the visibility of the campaign in official statistics and research data
- Cultural and language barriers — Turkish-language targeting limits the international security community's exposure to victim reports written in Turkish
Broader Ecosystem Context
The JanaWare campaign is not isolated. It reflects a growing segment of the ransomware ecosystem that security researchers describe as the "long tail" of cybercrime: hundreds of lower-profile operations that collectively victimize millions of individuals and small businesses annually but rarely appear in threat intelligence reports focused on high-value enterprise targets.
Aggregate data from European and Turkish CERT organizations suggests that ransomware incidents against home and SMB users across Turkey have increased each year since 2022, though exact figures remain difficult to compile due to under-reporting.
Defensive Guidance
For Turkish home users and SMBs who may be at risk:
- Maintain offline or cloud-backed copies of critical files — Backups that cannot be reached by ransomware (disconnected drives, cloud storage with version history) are the most effective recovery mechanism
- Avoid cracked software and unofficial download sources — A primary distribution vector for JanaWare
- Be skeptical of Turkish-language emails requesting document downloads — Especially those impersonating tax authorities or e-commerce platforms
- Enable Windows Controlled Folder Access (Windows Defender) to restrict unauthorized file modifications
- Keep operating systems and applications up to date — Ransomware droppers frequently exploit known vulnerabilities in unpatched software
- Use a reputable endpoint security solution with behavioral detection capabilities
Reporting Channels
Turkish victims of ransomware should contact:
- Siber Suçlarla Mücadele Dairesi (Turkish National Police Cybercrime Division)
- BTK Bilgi Güvenliği (Information Technologies and Communication Authority)
- USOM (National Cyber Incident Response Center — usom.gov.tr)