Fake Interpol Investigation Emails Push Ransomware at Small Businesses

Fake Interpol Investigation Emails Push Ransomware at Small Businesses Globally

Fake Interpol investigation emails are targeting small businesses with Proton Drive links that deliver ransomware, encrypt files, and route victims to Tox chat.

Listen to this article

0:00

Press play to start listening

Small businesses are being targeted by fake Interpol investigation emails that impersonate law enforcement officials and pressure recipients to open files presented as evidence of suspicious company activity. In reality, doing so infects their devices with malware, leading to ransomware infection.

Researchers at Bitdefender Antispam Lab found that the campaign uses formal language, urgent subject lines, and law enforcement branding to convince employees that their organization is facing a compliance or security review. The email tells recipients that investigators have obtained information and video material connected to company accounts, systems, or services.

The message does not begin with an obvious malware attachment; instead, it directs the recipient to a Proton Drive link and states that the file is a password-protected archive named archive.rar. The password is included in the email, making the request feel routine while also helping the file avoid basic scanning checks.

Fake Interpol Investigation Emails Push Ransomware at Small Businesses
The fake email (Image credit: Bitdefender)

Once the archive is opened, the victim is shown what looks like a video file. The file is not evidence. Bitdefender says it hides a ransomware payload inside several archive layers, using a common trick in which an executable is disguised as media.

After execution, the malware attempts to encrypt files on available drives and displays a ransom note telling the victim that files cannot be recovered without a decryption key. The note also warns against deleting, moving, or scanning files and directs the victim to contact the attackers through Tox, an encrypted instant messaging protocol.

It is worth noting that the ransom note does not list a fixed payment amount. The attackers appear to wait for victims to make contact, then negotiate based on the organization and the value of its data.

In the Bitdefender report shared with Hackread.com ahead of publishing on Wednesday, researchers said the malware appears to be custom-built, not part of a known ransomware family. Its code reportedly includes hardcoded values, including a password used during encryption and decryption, and lacks many features seen in major ransomware operations.

Researchers believe the campaign’s contact method suggests it is not a large-scale operation, but a smaller effort aimed at businesses. Many ransomware as a service groups use dark web negotiation portals where victims receive payment instructions and communicate with the gang. In this case, the attackers provide a Tox chat ID, with no dedicated victim portal.

Fake Interpol Investigation Emails Push Ransomware at Small Businesses

Targeting Businesses Worldwide

The campaign has reached organizations in Europe, Asia, the Middle East, and the United States. Bitdefender observed targets in food and agriculture, legal services, pharmaceuticals, media, technology, and finance.

Therefore, small businesses remain attractive targets because many do not have full-time IT or cybersecurity staff. Additionally, a message that appears to come from an international law enforcement agency can easily push an employee to download and execute files without verifying the request, especially when the email suggests fraud, misconduct, or regulatory exposure.

Nevertheless, if you run a small business with an online presence, employees should treat unexpected investigation notices, file sharing links, and password-protected archives as high risk.

Before opening files from cloud storage links, employees should verify the sender through a separate channel, inspect file extensions carefully, and avoid running executables disguised as documents, videos, or evidence packages.

The quickest way to check whether a file or URL is malicious without opening it is to use VirusTotal. Simply upload the suspicious file or submit the link to the platform to help protect your business.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism.
Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts