Fake Interpol Investigation Emails Push Ransomware at Small Businesses Globally
Fake Interpol emails deliver ransomware to small businesses via Proton Drive links.
Summary
A new ransomware campaign is targeting small businesses globally by impersonating Interpol investigations. Attackers use fake investigation emails with Proton Drive links to deliver a custom-built ransomware payload disguised as a video file. Victims are instructed to communicate with attackers via Tox for ransom negotiations.
Full text
Security Cyber Crime Malware Scams and FraudFake Interpol Investigation Emails Push Ransomware at Small Businesses Globally Fake Interpol investigation emails are targeting small businesses with Proton Drive links that deliver ransomware, encrypt files, and route victims to Tox chat. byWaqasJuly 1, 20263 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening Small businesses are being targeted by fake Interpol investigation emails that impersonate law enforcement officials and pressure recipients to open files presented as evidence of suspicious company activity. In reality, doing so infects their devices with malware, leading to ransomware infection. Researchers at Bitdefender Antispam Lab found that the campaign uses formal language, urgent subject lines, and law enforcement branding to convince employees that their organization is facing a compliance or security review. The email tells recipients that investigators have obtained information and video material connected to company accounts, systems, or services. The message does not begin with an obvious malware attachment; instead, it directs the recipient to a Proton Drive link and states that the file is a password-protected archive named archive.rar. The password is included in the email, making the request feel routine while also helping the file avoid basic scanning checks. The fake email (Image credit: Bitdefender) Once the archive is opened, the victim is shown what looks like a video file. The file is not evidence. Bitdefender says it hides a ransomware payload inside several archive layers, using a common trick in which an executable is disguised as media. After execution, the malware attempts to encrypt files on available drives and displays a ransom note telling the victim that files cannot be recovered without a decryption key. The note also warns against deleting, moving, or scanning files and directs the victim to contact the attackers through Tox, an encrypted instant messaging protocol. It is worth noting that the ransom note does not list a fixed payment amount. The attackers appear to wait for victims to make contact, then negotiate based on the organization and the value of its data. In the Bitdefender report shared with Hackread.com ahead of publishing on Wednesday, researchers said the malware appears to be custom-built, not part of a known ransomware family. Its code reportedly includes hardcoded values, including a password used during encryption and decryption, and lacks many features seen in major ransomware operations. Researchers believe the campaign’s contact method suggests it is not a large-scale operation, but a smaller effort aimed at businesses. Many ransomware as a service groups use dark web negotiation portals where victims receive payment instructions and communicate with the gang. In this case, the attackers provide a Tox chat ID, with no dedicated victim portal. Targeting Businesses Worldwide The campaign has reached organizations in Europe, Asia, the Middle East, and the United States. Bitdefender observed targets in food and agriculture, legal services, pharmaceuticals, media, technology, and finance. Therefore, small businesses remain attractive targets because many do not have full-time IT or cybersecurity staff. Additionally, a message that appears to come from an international law enforcement agency can easily push an employee to download and execute files without verifying the request, especially when the email suggests fraud, misconduct, or regulatory exposure. Nevertheless, if you run a small business with an online presence, employees should treat unexpected investigation notices, file sharing links, and password-protected archives as high risk. Before opening files from cloud storage links, employees should verify the sender through a separate channel, inspect file extensions carefully, and avoid running executables disguised as documents, videos, or evidence packages. The quickest way to check whether a file or URL is malicious without opening it is to use VirusTotal. Simply upload the suspicious file or submit the link to the platform to help protect your business. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts Cyber AttackCyber CrimeCybersecurityFraudInterpolMalwareRansomwareScam Leave a Reply Cancel reply View Comments (0) Related Posts Security Findings Show MFA Bypass in Microsoft Azure Entra ID Using Seamless SSO Concerned about a potential MFA bypass in Microsoft Azure Entra ID? This article explores the research, explains the vulnerability in context, and offers actionable steps to secure your organization. byWaqas Security SaaS Security Best Practices: Safeguard Consumer Data In today’s SaaS market, security is of utmost importance. Online commerce has undergone major changes over the past ten… byOwais Sultan Leaks Security Cosmetic giant Estée Lauder exposed 440 million records online Estée Lauder is a popular American multinational manufacturer, and marketer of prestige skincare. byWaqas Security Privacy Why You Should Use These 5 VPN Services There are hundreds of VPN services on the market currently. The demand for VPN services has been on… byAli Raza
Indicators of Compromise
- domain — proton.drive
- malware — archive.rar
- malware — Tox