Bitdefender researchers have uncovered a phishing campaign spanning Europe, Asia, the Middle East and the United States that impersonates Interpol's cybercrime unit, using fear and fabricated evidence of wrongdoing to persuade small business owners to open a ransomware payload themselves.

Fake Interpol Investigation Emails Are Spreading Ransomware to Small Businesses Worldwide

The420 Web Correspondent
7 Min Read

Bitdefender Antispam researchers have uncovered a phishing campaign targeting small businesses with fake investigation emails impersonating law enforcement officials. The messages, crafted to appear as though they originate from Interpol’s cybercrime investigation unit, claim the recipient’s organisation is under review and that investigators have obtained evidence, including video material, of suspicious company activity. Recipients are urged to review this evidence as soon as possible.

The psychological engineering behind the message is deliberate. As Bitdefender researchers Viorel Vrabie and Andrei Mogage noted, nobody wants to receive an email suggesting their company may be involved in fraudulent activity or under investigation, and the campaign is built entirely around exploiting that instinctive anxiety. To view the alleged evidence, recipients are directed to a Proton Drive link containing a password-protected archive, with the password conveniently included in the email itself, a detail attackers use to lower the victim’s guard by making the process feel procedurally legitimate. Once opened, the archive appears to contain a video file. It instead delivers a ransomware payload, relying on the familiar trick of disguising an executable as a video to slip past a distracted or hurried recipient.

Unsophisticated Code, Highly Effective Delivery

What distinguishes this campaign from a typical ransomware operation is the mismatch between the sophistication of its social engineering and the simplicity of its actual malware. According to Bitdefender’s analysis, the malware itself is relatively simple, containing hardcoded values, including the very password used during encryption and decryption, and lacking many features typically associated with large, established ransomware operations. This, combined with the campaign’s unusual negotiation setup, points strongly toward a custom-built or independently assembled operation rather than the work of an established ransomware-as-a-service group.

The ransom note itself is unusually vague by industry standards. Rather than specifying a fixed payment amount upfront, as older ransomware campaigns typically did, victims are simply instructed to make contact through a Tox chat channel, with the final demand likely negotiated afterward based on the size of the organisation, the perceived value of its data, and its apparent ability to pay. Most modern ransomware-as-a-service groups instead direct victims to a dedicated dark web negotiation portal. The absence of any such infrastructure here, just a bare Tox ID with no negotiation site or leak page, reinforces Bitdefender’s assessment that this is a smaller, independent operation rather than a branded ransomware gang. The campaign has been observed targeting organisations across food and agriculture, legal services, pharmaceuticals, media, technology, and finance sectors.

Why Small Businesses Remain the Preferred Target

This campaign’s emphasis on small businesses is not incidental; it reflects a well-documented and worsening structural vulnerability in how ransomware operators now allocate their effort. According to Verizon’s 2025 Data Breach Investigations Report, ransomware was present in 88 per cent of breaches at small and medium-sized businesses, compared to 39 per cent at large enterprises, a gap that reflects how disproportionately smaller organisations are now being targeted relative to their resources.

The reasons are structural rather than incidental. Many small businesses operate without dedicated IT or cybersecurity staff, with security responsibilities often shared among employees already juggling multiple roles, and limited budgets making advanced protections or ongoing training difficult to justify. When an alarming email arrives claiming to involve investigators or evidence of misconduct, there is frequently no formal verification process in place before someone clicks, precisely the operational gap this campaign is engineered to exploit. This pattern of low-sophistication attacks succeeding through psychological pressure rather than technical skill reflects a broader industry trend: ransomware operators increasingly recognise that even relatively simple malware can become a serious threat when paired with sufficiently convincing social engineering, since the fake investigation email itself does the heavy lifting that a technically sophisticated exploit would otherwise need to accomplish.

What Legitimate Law Enforcement Emails Never Do

Bitdefender’s researchers flagged what they describe as the campaign’s single biggest red flag: legitimate law enforcement agencies do not send unsolicited emails containing cloud storage links to password-protected files and ask organisations to review alleged evidence of wrongdoing on their own. Any message following that pattern, regardless of which agency it claims to represent, should be treated as suspicious by default and verified only through officially published contact channels, never through details supplied within the email itself.

The broader defensive posture Bitdefender recommends is consistent with standard small business security practice: treating password-protected archives with particular suspicion when the password is included in the same message, enabling visible file extensions on Windows systems to catch executables disguised as media files, maintaining multi-factor authentication across business accounts, and ensuring reliable, tested backups remain one of the most effective safeguards against ransomware regardless of how an attack begins. For organisations that have already opened such a file, the recommended response follows a clear sequence: disconnect the affected device from the network immediately, run a full security scan, notify IT support where available, change important passwords from a separate clean device, and report the incident both to the impersonated organisation and to the relevant national cybersecurity authority, since shared intelligence on active campaigns like this one helps other potential targets recognise the warning signs before they, too, click.

Stay Connected