Researchers have identified a long running ransomware campaign that has been operating with low visibility since at least 2020, primarily targeting individuals and small to medium sized businesses in Turkey. Unlike large scale ransomware operations that focus on major enterprises and often attract significant media and law enforcement attention, this campaign appears to rely on high volume, low value attacks that generate smaller payouts while remaining largely under the radar of the wider cybersecurity community. The findings were documented in a recent report by Acronis, which highlights how less visible cybercrime activity can persist for years with minimal disruption.
The campaign follows a simple but effective attack pattern based on phishing emails that direct victims to cloud hosted files containing malicious Java archives. Once executed, the malware deploys a modified version of the Adwind remote access trojan, a long standing and widely repurposed malware family. This variant establishes persistence on infected systems by configuring itself to run at startup and then performs a series of checks designed to ensure it is operating in its intended environment. A key feature of the malware is its geofencing capability, which verifies that the victim is located in Turkey and that the system language is set to Turkish. This restriction helps the attackers focus exclusively on their intended target region while reducing the likelihood of detection in other jurisdictions.
Once initial checks are complete, the malware attempts to weaken system defenses by disabling Microsoft Defender, scanning for other installed antivirus solutions, blocking Windows update functionality, suppressing security notifications, and eliminating system recovery options. While these techniques are not considered highly advanced, they are effective against less protected systems commonly found among individual users and small businesses. According to researchers, the malware also incorporates obfuscation methods and modular payload delivery mechanisms, indicating a level of technical sophistication despite the relatively low financial scale of the operation. The final stage of the attack involves deploying a ransomware component known as JanaWare along with a generic ransom message, with demands typically ranging between 200 and 400 US dollars per victim.
Security researchers from Acronis noted that the campaign demonstrates how attackers can generate consistent revenue by targeting large numbers of smaller victims rather than focusing on high value enterprise environments. Santiago Pontiroli, team lead at the Acronis Threat Research Unit, explained that smaller organizations are often easier to compromise due to weaker security controls and are more likely to comply with ransom demands quickly. He added that while individual ransom amounts are low, the scale of operations can still result in meaningful financial gain for threat actors over time. The approach also reduces exposure to law enforcement scrutiny, allowing such campaigns to persist over extended periods without significant interruption.
The broader implications of the campaign extend beyond individual victims, as even small scale ransomware incidents can create downstream risks within supply chains and service networks. Security analysts emphasize that the cumulative impact of high volume attacks should not be underestimated, particularly when small businesses form part of larger operational ecosystems. Research referenced in the report, including findings from Verizon’s 2025 Data Breach Investigations Report, indicates that ransomware is present in a significantly higher proportion of small and medium business breaches compared to larger organizations. However, these incidents are often underreported or resolved quietly, contributing to a skewed public perception of ransomware activity that disproportionately highlights large enterprise attacks while underrepresenting smaller but more widespread campaigns.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
