threat-wire

Fake Interpol Emails Push Ransomware at Small Businesses

A ransomware campaign disguised as an Interpol fraud investigation is targeting small businesses across Europe, Asia, the Middle East, and the US. The email links to a password-protected archive that hides an executable disguised as video evidence, and once it runs, it encrypts local files. The one piece of good news: researchers found the decryption password baked into the malware itself.

By SecureBusinessHub Editorial, International cybersecurity desk — · 4 min read

Small businesses in six industries are getting emails that claim to be from Interpol's Cybercrime Investigation Unit. They aren't.

The Lure

The email uses formal language and an urgent subject line, telling the recipient that investigators have obtained video evidence connected to their company's accounts or systems. It links to a Proton Drive file, a password-protected archive named archive.rar, with the password included right in the email. That's deliberate: a password-protected file is harder for automated mail scanners to inspect.

Inside, nested archives hide what looks like a video file. It isn't. Bitdefender's Antispam Lab found the real payload is an executable disguised as media, buried several archive layers deep. Routing the lure through Proton Drive is its own small piece of tradecraft: a link to a well-known, legitimate storage service reads as more trustworthy than an attachment, and it slips past filters built to flag executables coming through email directly.

What Happens Next

Run it, and the malware encrypts files on any available drive, then shows a ransom note warning against deleting, moving, or scanning anything. Instead of a dark-web payment portal, victims get a Tox chat ID and are told to make contact. There's no listed price; the attackers negotiate per victim based on the business and the value of its data.

Bitdefender's report, shared ahead of publication, notes the malware's code contains hardcoded values, including the password used for both encryption and decryption, and lacks many of the features seen in major ransomware operations. Researchers read the contact method itself as a signal: large ransomware-as-a-service groups run dedicated dark-web negotiation portals with case numbers and countdown timers, while this operation runs on a single messaging ID with no infrastructure to speak of.

  • The malware is custom-built, not a known ransomware family, and Bitdefender found the encryption password hardcoded in its own code, meaning recovery without paying is technically possible with the right analysis
  • The lack of a dedicated victim portal and reliance on a single Tox contact suggests a small operation, not an industrialised ransomware-as-a-service group

Who's Being Targeted

Bitdefender has observed targets in food and agriculture, legal services, pharmaceuticals, media, technology, and finance, spread across Europe, Asia, the Middle East, and the United States. Small businesses are attractive here for an ordinary reason: many don't have full-time IT or security staff, and a message that looks like it's from international law enforcement is built to make an employee act before they think to verify it. A regional office manager who has never dealt with a real fraud investigation has no baseline to know how odd this one is.

  • Any email claiming to be a law-enforcement "investigation" that arrives with a password-protected archive is a red flag on its own; real investigators don't operate this way
  • Verify the sender through a separate channel (call the agency's published number, don't reply to the email) before opening any linked file
  • Before extracting or running anything, upload the file or link to VirusTotal to check it without executing it
  • Treat any "video" file that turns out to be an .exe or script as confirmed malicious, not a mistake

No fixed ransom demand. No public leak site. Just a well-written email aimed at a small business without the staff to double-check it.