Small businesses across the United States, Europe, Asia, and the Middle East are being targeted by a ransomware campaign that uses fake Interpol emails to trick victims into downloading malicious software. Bitdefender researchers reported Wednesday that the attackers impersonate the "Interpol Cybercrime Investigation Unit" and claim an emergency response is needed for compliance investigations. The emails direct recipients to password-protected archives on Proton Drive containing ransomware disguised as video files.
The attack chain begins with phishing emails that create urgency by referencing supposed security violations requiring immediate attention. Victims who follow the link find nested archives containing what appears to be evidence files. When users attempt to open what they believe is a video file, the ransomware executes and encrypts files across available drives before dropping a ransom note instructing victims to contact attackers via Tox chat.
Bitdefender Senior Security Researcher Viorel Vrabie told SC Media the malware contains a significant technical flaw: the decryption functionality and required key are embedded directly in the payload. This means victims can recover encrypted files without negotiating with attackers or paying ransom. The researchers found no evidence of data exfiltration, and the malware appears to have been constructed using publicly available code or templates rather than sophisticated custom development.
The campaign has affected businesses across multiple sectors including technology, finance, legal services, food and agriculture, pharmaceuticals, and media. Researchers assessed the operation is likely conducted by a less sophisticated threat actor rather than an established ransomware group, relying primarily on social engineering and fear tactics rather than technical complexity. The ransom note even threatens that running malware scans will complicate recovery, attempting to prevent victims from discovering the hardcoded decryption key.
Bitdefender recommends organizations that received these emails immediately disconnect affected devices from networks and run full security scans. Prevention measures include training employees to recognize urgency-based social engineering tactics, verifying all unsolicited messages before taking action, treating password-protected archives with suspicion, maintaining secure data backups, and configuring Windows to display file extensions. Organizations should report incidents to IT teams, managed service providers, email providers, and national cybersecurity agencies.
Source: https://www.scworld.com/news/interpol-emails-spread-custom-ransomware-with-decryption-key-left-inside


