
Threat actors impersonate Interpol to trick small businesses into launching ransomware disguised as evidence in a fake cybercrime investigation.
The campaign has targeted organizations across Europe, Asia, the Middle East, and the United States, relying on convincing social engineering rather than sophisticated malware.
The campaign was discovered by Bitdefender's Antispam Lab, which found attackers distributing emails claiming to originate from Interpol's cybercrime investigation unit. The messages allege that investigators have obtained evidence related to suspicious activity involving the recipient's organization and urge victims to review the material immediately.

Bitdefender
Instead of attaching the alleged evidence directly, the emails direct recipients to a Proton Drive-hosted password-protected archive. The archive's password is conveniently included in the phishing message, making the request appear legitimate while lowering the victim's suspicion. Once extracted, the archive appears to contain a video file documenting the investigation, but the supposed media file is actually a Windows executable designed to infect the victim's system.
Once launched, the malware extracts its payload through multiple archive layers before beginning to encrypt files across available drives. Victims are then presented with a ransom note stating that their files have been encrypted and can only be recovered with a decryption key. Rather than specifying a ransom amount, however, the note instructs victims to contact the operators through the encrypted messaging platform Tox to negotiate payment.
The researchers noted several characteristics suggesting this is not the work of an established ransomware-as-a-service (RaaS) operation. The malware lacks many of the advanced features commonly found in mature ransomware families, contains hardcoded encryption-related values, and does not direct victims to a dedicated Tor-based negotiation portal. Instead, the attackers simply provide a Tox chat ID, indicating the ransomware was likely custom-built or assembled using publicly available code rather than developed by a major ransomware gang.
Despite its relatively simple design, technically unsophisticated malware can still cause significant disruption. Bitdefender observed the operation targeting organizations in multiple sectors, including food and agriculture, legal services, pharmaceuticals, media, finance, and technology. Small businesses appear to be the primary focus, as many lack dedicated cybersecurity personnel and formal procedures for verifying unexpected communications from authorities.
Users should keep in mind that legitimate law enforcement agencies do not send unsolicited emails asking recipients to download password-protected archives from Proton Drive containing evidence of criminal investigations. Organizations receiving such messages should independently verify their authenticity using official contact information before opening attachments or downloading files.
Bitdefender recommends that businesses immediately disconnect any system that may have executed malware, perform a full security scan, notify their IT administrator or managed service provider, change important account passwords on a clean device if credential theft is suspected, and report the phishing attempt to both their email provider and the relevant cybersecurity authorities.







Leave a Reply