Cybercriminals are using a new ransomware strain called JanaWare to target people in Turkey, according to a new report from cybersecurity firm Acronis.

The researchers said the ransomware operation has been ongoing since 2020 and is associated with a strain of malware that enforces execution constraints based on system locale and external IP geolocation — restricting its activity to systems only in Turkey. 

The ransom demands are very low, hovering around $200 to $400, and Acronis said the hackers are likely opting for a low-value, high-volume approach. 

“Despite evidence suggesting the campaign has been active for several years, its regional focus and relatively small-scale operations likely helped it remain largely unnoticed,” the researchers said. “This case demonstrates how targeted, localized ransomware campaigns can quietly persist in the threat landscape.”

Acronis said the ransomware was typically used against home users and small to medium-sized businesses, with most becoming infected through phishing emails that delivered malicious Java archives. 

The attacks begin with a malware strain called Adwind that contains several features that “hinder detection and analysis, including heavy obfuscation,” Acronis said. 

The ransom notes are written in Turkish and victims are urged to contact the hackers through qTox — a free decentralized chat platform that operates over the Tox peer-to-peer network.

Several analyzed incidents began with an email read through Microsoft Outlook. A Google Drive link in the email triggered the launch of a process that led to the download of a malicious file. Acronis shared one victim report found on a popular public forum confirming that their device files were encrypted by JanaWare after opening an email in Outlook. 

The malware checks the victim’s system location, language and country settings — requiring it to match the Turkish language and location. It will proceed only if the system is in Turkey.

Acronis noted that the focus on Turkey also limits the ability of international security researchers to examine the malware and ransomware. They suggested the specific targeting of Turkish residents “suggests the malware is not opportunistic but instead part of a targeted campaign with a defined geographic scope, using location checks both to evade detection and to ensure it operates only in intended environments.”

The ransom note — which is written in Turkish — is embedded directly within the malware, according to Acronis, providing another example proving the campaign is targeted specifically at Turkish residents. 

The Acronis report comes amid warnings from cybersecurity researchers and law enforcement agencies that the ransomware ecosystem is fragmenting following multiple high-profile disruptions of larger ransomware gangs. 

Last week, the FBI said it identified 63 new ransomware variants that caused more than $32 million in losses last year.

A ransomware report published on April 8 by TRM Labs backed that assessment, finding that while ransomware-linked volume on the blockchain fell from $1.9 billion in 2024 to $1.3 billion in 2025, 93 new ransomware variants emerged last year. That represents a 94% increase compared to 2024. 

But TRM Labs found that ransomware activity was expanding beyond Russia and other regions that do not have extradition treaties with the U.S.

"What we saw in 2025 is a ransomware ecosystem that is more fragmented than ever — but that fragmentation is also creating real vulnerabilities," said Ari Redbord, global head of policy at TRM Labs. "The old playbook of brand-level takedowns is less effective against 161 variants — but for the first time, we're seeing operators in reachable jurisdictions, weaker service layers exposed, and a laundering infrastructure that is far more traceable than actors assume."

Redbord added that the intelligence gained from past leaks and seizures has given law enforcement an opportunity to disrupt ransomware gangs “at a scale we haven't seen before.”

"The question for 2026 is whether that window gets used,” Redbord said.