6-Year Turkish Ransomware Run Proves Small Game Pays

Six years is an eternity in security operations. Most ransomware groups don't last six months before law enforcement kicks down their doors. Yet someone has been hitting Turkish small businesses and homes with $200-400 ransom demands since 2020, and nobody noticed until this week.

The numbers tell a story every platform lead needs to hear: according to Dark Reading, Verizon's 2025 Data Breach Investigations Report found ransomware in 88% of SMB breach incidents, versus just 39% at larger organizations. That's not a typo. Small businesses are getting hammered at more than twice the rate of enterprises, while security vendors keep pitching tools designed for Fortune 500 SOCs.

The Numbers

Let's talk about what six years of undetected operation means. Most ransomware operations measure their lifespan in quarters, not half-decades. REvil lasted two years. DarkSide got three months before Colonial Pipeline made them too hot. This Turkish operation has outlasted them all by staying boring.

The ransom demands range from $200 to $400 per victim. At first glance, that seems like pocket change in an era of eight-figure ransoms. But run the math on volume. Hit 100 targets a month at $300 average, and you're pulling $360,000 annually. That's sustainable revenue with zero media attention and minimal law enforcement interest.

The malware itself is a custom variant of Adwind RAT, a Java-based remote access tool that's been kicking around since 2012. No zero-days. No nation-state sophistication. Just commercial malware with a ransomware plugin called "JanaWare" bolted on. The operation checks for Turkish language settings and IP geolocation before executing, keeping the blast radius intentionally small.

My take: this is what sustainable cybercrime looks like. Not the splashy breaches that make headlines, but the grinding, methodical extraction of value from soft targets. Santiago Pontiroli from Acronis' Threat Research Unit nailed it: "Large enterprise attacks tend to attract media attention and law enforcement pressure, whereas smaller incidents often go unreported."

The technical stack reflects this philosophy. The malware disables Microsoft Defender, blocks Windows updates, suppresses security notifications, and eliminates recovery options. Standard playbook stuff that works because most SMBs run default configurations. No need for sophisticated evasion when your targets don't have EDR.

That 88% SMB breach rate containing ransomware versus 39% for large organizations isn't just a statistic. It's an indictment of how we've built the security industry. We've optimized for protecting the top 5% of organizations while leaving the other 95% to fend for themselves with consumer-grade antivirus and crossed fingers.

What's Actually New

The novelty isn't in the malware. Adwind RAT variants have been recycled more times than I've seen MongoDB clusters exposed to the internet. What's new is the proof that small-game hunting works at scale when you commit to it.

Previous assumptions held that ransomware economics pushed operators toward bigger targets. Why collect $300 ransoms when you could demand $3 million? This campaign proves the opposite strategy has legs. Pontiroli explains it well: "It's easier to compromise smaller victims using scalable techniques like phishing, they tend to have weaker defenses, and they're often more likely to pay quickly."

The geographic focus represents another departure from standard ransomware operations. Most groups cast wide nets, using affiliate models to hit targets globally. This operation strictly targets Turkey, checking both IP location and system language settings before deploying. That's not technical limitation; it's operational discipline.

The uncomfortable read: this campaign succeeded precisely because it avoided innovation. While security vendors chase AI-powered threats and zero-day exploits, someone proved you can run a six-year operation with 14-year-old malware if you pick your targets correctly. That should terrify every CISO who's been focusing on advanced persistent threats while ignoring basic hygiene.

The persistence mechanism alone tells the story. The malware simply registers itself to run on startup. No rootkit. No firmware implants. Just adding itself to the Windows registry like it's 2010. And it worked for six years because SMBs don't have security teams checking autoruns.

What's Priced In for Security Teams

Security teams at major enterprises already know SMBs are soft targets. That's been conventional wisdom since forever. What's not priced in is the scale and sustainability of focusing exclusively on that market segment.

Most threat models assume attackers graduate from small targets to large ones as they mature. This campaign spent six years doing the opposite. They found a profitable niche and stayed there, invisible to threat intelligence feeds that focus on big game hunters.

The use of Java-based malware was predictable. Cross-platform compatibility matters when you're hitting diverse SMB environments. What wasn't predictable was someone running the same basic toolkit for six years without feature creep. Most malware authors can't resist adding capabilities. This group maintained discipline.

Supply chain risk is the aspect nobody's talking about. Pontiroli hints at it: "Even when targeting smaller entities, there can be downstream effects, particularly if those organizations are part of a supply chain or provide services to others." Every enterprise has dozens of small vendors with VPN access. How many are running Turkish-language Windows with disabled updates?

Contrarian View

Here's what everyone's missing: maybe this isn't about SMBs being easy targets. Maybe it's about enterprises being impossible ones.

The cost to breach a properly defended enterprise has skyrocketed. EDR, SIEM, SOC teams, threat hunting, zero trust architectures. The defensive stack at a Fortune 500 would have spotted this Adwind variant in minutes. The economics don't work anymore unless you're nation-state funded or hitting cyber insurance jackpots.

This Turkish operation might represent the future of ransomware: sustainable, boring, profitable. Like email spam, it works at volume with tiny margins. The industry keeps preparing for Stuxnet 2.0 while missing that cybercrime is becoming a volume business.

The six-year run might also be overstated. Acronis says the campaign "may have been quietly running since at least 2020." That's hedged language. We might be looking at multiple operations using similar tools, not one persistent actor. The Turkish focus could be coincidental clustering, not strategic choice.

Key Takeaways

• Volume beats value: $200-400 ransoms across hundreds of SMBs generated sustainable revenue for 6 years without attracting law enforcement attention
• 88% of SMB breaches involve ransomware versus 39% at large enterprises (Verizon 2025 DBIR). Your supply chain vendors are almost certainly compromised
• Geographic focus works: Limiting targets to Turkey-only avoided international attention and complicated attribution
• Boring malware persists: 14-year-old Adwind RAT variants still work against organizations without security teams
• The security industry has an SMB problem: Tools and threat intelligence focus on enterprise threats while 95% of businesses run Windows Defender and hope

For security teams, the message is clear: audit your supply chain's smallest vendors first. For SMBs reading this: if you're running default Windows security settings, you're already compromised. You just don't know it yet.