Ransomware Campaign Uses Fake Interpol Notices to Target Small Businesses

Related

JadePuffer Signals a New Era of AI-Driven Ransomware

What happened Researchers at Sysdig have documented what they describe...

JadePuffer Ransomware Used AI Agent to Automate Entire Attack

What happened Researchers from Sysdig identified what they believe is...

Europe Becomes a Growing Ransomware Hotspot as Attacks Surge

What happened Ransomware activity is rising sharply across Europe, according...

Share

What happened

An emerging ransomware campaign is targeting small businesses with phishing emails that impersonate Interpol. The fake notices claim the recipient’s organization is under investigation for suspicious activity and that investigators have obtained information and video evidence tied to alleged criminal conduct. The lure is designed to create urgency and push the victim into opening files that appear to contain evidence.

The campaign has targeted organizations across multiple sectors, including pharmaceuticals, food, agriculture, technology, media, and legal services. Victims have been observed in the United States, Europe, Asia, and the Middle East. Bitdefender said the activity shows how relatively simple malware can still become a serious threat when paired with convincing social engineering.

The phishing emails direct victims to download a password-protected Proton Drive archive. If opened, the archive delivers ransomware disguised as a benign video file. The ransomware encrypts local systems and instructs victims to contact the attackers through the Tox peer-to-peer messaging platform to negotiate payment.

Bitdefender described the payload as rudimentary but effective. The code includes hardcoded values, including the password used for encryption and decryption, and lacks many features associated with larger ransomware operations. The campaign also does not use a fixed ransom amount. Instead, negotiations begin only after the victim contacts the attackers, allowing the operators to tailor demands based on the organization’s size and perceived ability to pay.

Who is affected

Small businesses are the primary targets, especially organizations that may not have dedicated IT or cybersecurity teams, formal incident response procedures, or regular security awareness training.

The campaign has affected multiple industries, including pharmaceuticals, food, agriculture, technology, media, and legal services. Organizations in the United States, Europe, Asia, and the Middle East have been targeted.

Employees who may believe an unexpected law enforcement or regulatory notice is legitimate are also exposed, particularly in businesses that handle compliance-sensitive work or operate with limited internal security support.

Why CISOs should care

This campaign reinforces that small businesses are not too small for ransomware. Attackers can use simple malware and basic social engineering to create meaningful disruption when victims lack mature security controls or incident response processes.

The Interpol lure is important because it abuses fear, urgency, and perceived legal authority. Employees may be more likely to open a file if they believe the organization is under investigation or that evidence must be reviewed quickly.

The use of password-protected archives and Proton Drive also matters. Password-protected files can limit scanning by email gateways, while cloud-hosted delivery can make the link appear less suspicious than a direct malware attachment.

For CISOs, the tailored ransom model is another warning. Attackers do not need to set a fixed price upfront. They can wait for contact, assess the victim, and adjust demands based on perceived ability to pay.

3 practical actions

  1. Train employees on law enforcement impersonation lures: The campaign uses fake Interpol notices claiming the organization is under investigation. Security awareness should cover urgent legal, regulatory, police, and fraud-themed messages that pressure users to download evidence files.
  2. Restrict password-protected archives from external senders: The ransomware is delivered through a password-protected Proton Drive archive. Security teams should inspect or quarantine encrypted archives, especially when paired with cloud links and urgent investigation-themed messages.
  3. Prepare small-business ransomware response playbooks: Many small businesses lack formal incident response procedures. Organizations should define who to contact, how to isolate affected systems, how to restore from backups, and how to handle ransom communications before an incident occurs.

Learn more about recent ransomware attacks:

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.