Fake Interpol investigation email phishing scam targeting small businesses with ransomware

No, Interpol isn’t Investigating You: That ‘Evidence’ is Ransomware

Bitdefender researchers say the malware is unsophisticated. The social engineering isn’t.

A rapidly spreading phishing campaign is impersonating Interpol to push ransomware onto small businesses, according to security professionals.

Bitdefender, in a report released Wednesday, documents how crooks are impersonating Interpol investigators and luring recipients to a password-protected Proton Drive archive — with the password conveniently included in the same email. Open the file, and instead of the promised “video evidence,” victims get ransomware.

“Bitdefender Antispam researchers have uncovered a phishing campaign targeting small businesses across Europe, Asia, the Middle East, and the United States with fake investigation emails impersonating law enforcement officials,” the company said. “The messages claim to contain evidence of suspicious company activity, but there’s a catch: The attached ‘evidence’ is actually ransomware.”

According to Bitdefender researchers Viorel Vrabie and Andrei Mogage, the fake video file hides ransomware under multiple archive layers. Once executed, the malware encrypts files across available drives and directs victims to negotiate a payout over the end-to-end encrypted messaging protocol Tox.

Researchers say no ransom amount is specified upfront, which is a deliberate omission.

Most established ransomware-as-a-service operations route victims to a dedicated negotiation portal on the dark web, complete with payment instructions. This campaign skips the portal entirely and hands victims a bare Tox chat ID — a contrast to the insider-fed negotiation scheme that recently landed a Land O’Lakes man a guilty plea for feeding real ransomware negotiators’ data to BlackCat.

That negotiate-first posture isn’t unique to this campaign, either. It’s become common across ransomware operators broadly, similar to the extortion-without-encryption approach FulcrumSec used against Novo Nordisk. Rather than fixing a payout amount and risking the target walking away, attackers size up a victim first, establishing company size, perceived data value, and ability to pay before establishing a ransomware price.

“This approach has become increasingly common among ransomware operators. Rather than demanding the same amount from every victim, attackers often prefer to negotiate after establishing contact,” Vrabie and Mogage wrote.

The researchers also found a hardcoded password used for both encrypting and decrypting files. The use of a static, one-size-fits-all key baked directly into the malware, rather than the per-victim keys professional ransomware operations typically generate – suggesting a lack of sophistication.

Taken together, researchers say the malware was likely custom-built or cobbled from public tools — not the product of an established gang. In other words, this isn’t SolarWinds.

However, Bitdefender warns simple code doesn’t mean a simple threat.

Researchers tracked victims across Europe, Asia, the Middle East, and the United States targeting industries food and agriculture, legal services, pharmaceuticals, media, technology, and finance. Small businesses are disproportionate targets for the simple reason: many run without dedicated IT or security staff. This is the same gap driving MSPs to court SMBs with cheaper virtual firewalls.

“Recipients are told that investigators have obtained information and video material related to their organization and are encouraged to review the evidence as soon as possible,” researchers wrote. “The message is carefully crafted to create anxiety. Nobody wants to receive an email suggesting their company may be involved in suspicious or fraudulent activity or under investigation.”

Bitdefender’s advice for anyone who’s already opened the file is to disconnect the device in question from the network, run a full security scan, notify IT, and change passwords for business email, cloud storage, and financial accounts from a clean device.

Legitimate law enforcement agencies don’t email password-protected archives and ask companies to self-investigate, Bitdefender reminds. Verify any message claiming otherwise through official channels before opening anything.

Author

  • Shaun Nichols

    Shaun Nichols, Senior Editor at Security Point Break, is a veteran cybersecurity journalist who has spent nearly two decades covering the enterprise tech market—from the era of hard-drive iPods to the rise of Agentic AI. Formerly of The Register and TechTarget, Shaun is known for his sharp wit and deep technical dives into malware, ransomware, and the intersection of government policy and security. Follow him on X: @shaundnichols

Total
0
Shares

Leave a Reply

Previous Article
Traveler with backpack and laptop looks up at an illuminated airline departures board in a crowded terminal

Wiz: Autonomous AI Agent Breaches Airline Booking Database in 15 Minutes

Next Article

Identity Tech Meets the Fourth of July: Your Digital Papers, Please

Related Posts

Discover more from Security Point Break

Subscribe now to keep reading and get access to the full archive.

Continue reading