6-Year Ransomware Campaign Targets Turkish Homes & SMBs

CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE CYBER RISK VULNERABILITIES & THREATS NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific 6-Year Ransomware Campaign Targets Turkish Homes & SMBs While enterprises breaches make more headlines, smaller incidents tend to be under-reported, if at all, allowing campaigns to last longer with less disruption. Nate Nelson,Contributing Writer April 16, 2026 4 Min Read SOURCE IVAN TSYRKUNOVICH VIA ALAMY STOCK PHOTO Researchers have uncovered a low-dollar, high-volume ransomware campaign that may have been quietly running since at least 2020. So-called "big game hunters" — threat actors who attack the biggest organizations they can find — have no trouble getting their accomplishments splashed onto news websites. You'll hear less about hunting small-game because the targets are of less interest to the general public, and the money involved is less enticing. Both models appear to work in the attackers' favor, though. Bigger ransomware actors benefit from attention, as it allows them to build "brands" based on fear and reliability. And smaller actors are escaping notice, working beyond the gaze of the mainstream cybersecurity community and quietly piling up fortunes from scraps. A report from Acronis this week documented a cyberattack campaign that seems to have benefitted from fishing in a smaller pond. It's highly localized to Turkey, and its gambit is simple: using modified commercial malware to extort individuals and small or medium-sized businesses (SMBs) for a few hundred dollars a pop, at scale. Related:Fraud Rockets Higher in Mobile-First Latin America "Large enterprise attacks tend to attract media attention and law enforcement pressure, whereas smaller incidents often go unreported, allowing campaigns to persist longer with less disruption," explains Santiago Pontiroli, team lead at Acronis' Threat Research Unit (TRU). And that's far from the only advantage that the smaller model has. Ransomware Against Turkish SMBs The phishing flow used for this campaign is hardly that interesting, perhaps because it doesn't have to be. Targets receive an email, follow a link to a cloud-hosted file, and find a malicious Java archive contained therein, and that sequence of steps isn't likely to be interrupted by sophisticated anti-phishing defenses. The malware at the tail end is a custom variant of Adwind RAT, a nearly-decade-and-a-half-old and many-times-forked Java remote access Trojan (RAT). This variant establishes initial command-and-control (C2) and persistence by registering itself to run on startup, and runs through a series of checks. Firstly and most strictly, the malware makes sure its victim is located in Turkey, and that their computer's language setting is set to Turkish. This allows the attacker to home in on victims they're most familiar with, and prevent their attacks from leaking into other regions where they might pick up unwanted attention. After the geofencing checks, the malware attempts to weaken a victim's system by disabling Microsoft Defender and checking for other antivirus software, blocking Windows updates, suppressing security notifications onscreen, and eliminating any means of data recovery. Related:Bank Trojan 'Casbaneiro' Worms Through Latin America None of these tricks are particularly novel or sophisticated, but they go a long way against unguarded small targets. "Smaller-scale campaigns can still incorporate advanced techniques, including obfuscation, polymorphism, modular payload delivery, and anonymized communications. JanaWare illustrates that lower-value campaigns can maintain a relatively mature technical foundation while operating at a smaller economic scale," Pontiroli says. Having set the stage, the modified Adwind RAT pulls out its final payload: a ransomware plug-in called "JanaWare," plus a generic ransom note. The researchers observed ransom demands ranging from $200 to $400. SMBs: Easy Pickings That might sound like a pittance in today's ransomware market, but as Pontiroli explains, "It's easier to compromise smaller victims using scalable techniques like phishing, they tend to have weaker defenses, and they're often more likely to pay quickly. Instead of investing heavily in a few large targets, actors can generate steady revenue by hitting many smaller ones with lower ransom demands." Related:Chinese Police Use ChatGPT to Smear Japan PM Takaichi "At the same time, the impact should not be underestimated. Even when targeting smaller entities, there can be downstream effects, particularly if those organizations are part of a supply chain or provide services to others. In that sense, high-volume, low-value ransomware can still create broader disruption despite its relatively modest demands," he says. It's unclear how many people or businesses might have fallen victim to JanaWare in the past six years, partly because of the very nature of small-scale attacks. Researchers lack the same telemetry they enjoy with larger organizations among smaller ones, and among individuals, and most ordinary people in Turkey aren't going to be actively uploading malware samples to VirusTotal. As a result, Pontiroli argues, the cybersecurity community gets a distorted picture of what the ransomware scene is really like. "A large portion of ransomware activity is actually concentrated on smaller organizations," he says, pointing to Verizon’s 2025 "Data Breach Investigations Report" (DBIR), which found that ransomware is present in 88% of SMB breach incidents, compared to just 39% in larger organizations. "High-profile enterprise attacks tend to dominate headlines because of their scale, impact, and disclosure requirements, while incidents affecting smaller organizations are often underreported and resolved quietly," Pontiroli explains. "As a result, the public view is skewed toward large cases, even though a significant share of ransomware activity operates at this lower-value, high-volume end of the market." Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now! Read more about: DR Global Middle East & Africa About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026 The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Cyberattackers Target LastPass, Top Password Managers by Nate Nelson, Contributing Writer OCT 16, 2025 CYBERATTACKS & DATA BREACHES After Pahalgam Attack, Hacktivists Unite Under #OpIndia by Nate Nelson, Contributing Writer MAY 09, 2025 CYBERATTACKS & DATA BREACHES Despite Arrests, Scattered Spider Continues High-Profile Hacking by Rob Wright MAY 02, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE