Back

JanaWare Ransomware Targets Turkey Using Adwind RAT

Severity: High (Score: 69.5)

Sources: Acronis, Scworld, Therecord.Media, Socprime, Cybersecuritynews

Summary

The JanaWare ransomware campaign has emerged, targeting users in Turkey through a customized variant of the Adwind RAT. The malware is distributed via phishing emails containing malicious JAR files, which, when executed, encrypt user data and display ransom notes in Turkish. The campaign has been active since around 2020, primarily affecting small to medium-sized businesses rather than large enterprises. Ransom demands range from $200 to $400, indicating a low-value, high-volume attack strategy. JanaWare employs advanced obfuscation techniques and geofencing to restrict its operations to Turkish systems, enhancing its evasion of detection. The malware disables security features like Microsoft Defender and deletes shadow copies before initiating encryption. Researchers have identified the use of multiple obfuscators, including Stringer and Allatori, to complicate static analysis. Victims are instructed to communicate with attackers through secure channels like qTox or Tor-based sites. The campaign's persistence and regional focus underscore its potential threat to Turkish cybersecurity. Key Points: • JanaWare ransomware targets Turkish users via phishing emails with malicious JAR attachments. • The malware employs advanced obfuscation and geofencing to restrict operations to Turkey. • Ransom demands range from $200 to $400, indicating a strategy focused on quick, local payouts.

Key Entities

  • Malware (attack_type)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • Turkey (country)
  • elementsplugin.duckdns.org (domain)
  • Adwind (malware)
  • Adwind RAT (malware)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1218.001 - Compiled HTML File (mitre_attack)
  • Chrome (tool)
  • Google Drive (tool)
  • QTox (tool)
  • Allatori (tool)
  • PowerShell (tool)
  • Java (platform)
  • Windows (platform)
  • Tor (platform)
  • Tor Browser (platform)
  • Outlook (company)
  • JanaWare (ransomware_group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed