Ransomware Thugs Masquerade as Interpol to Entice Small Biz

Ransomware attackers have been masquerading as Interpol in a campaign targeting small businesses across multiple regions, including the US, Europe, Middle East, and elsewhere. The scammers send fake emails claiming the recipient’s organization is under investigation for suspicious activity, complete with fabricated evidence of alleged wrongdoing. These phishing attempts are designed to trick victims into downloading malware disguised as supporting documentation, which ultimately encrypts local systems and demands a ransom.

The campaign has so far targeted businesses in various sectors, including pharmaceuticals, food, agriculture, technology, media, and legal services. What’s notable about this attack is its simplicity: the malware used is basic, and the attackers don’t need to be part of a major cybercrime operation to launch a disruptive attack. According to Bitdefender, a security company that analyzed the payload, the code contains hardcoded values and lacks many features typically associated with large ransomware operations.

The attack begins with a phishing email from someone claiming to be an Interpol investigator. The message claims that investigators have obtained evidence of suspicious activity tied to the recipient’s organization and instructs them to download a password-protected archive hosted on Proton Drive for review. Once opened, the archive delivers a ransomware payload disguised as a benign video file that encrypts local systems and prompts victims to contact the attackers via the Tox peer-to-peer messaging platform to negotiate payment.

One interesting aspect of this campaign is the absence of a fixed ransom demand. Instead, it’s only when victim organizations contact the attackers via Tox that ransom negotiations begin. This approach mirrors a tactic increasingly used across the ransomware ecosystem: tailoring ransom demands to the size and perceived ability to pay of each compromised organization. Many targeted organizations appear to be small businesses, which often operate under the assumption that they are unlikely to be of much interest to ransomware operators.

However, this campaign proves that misconception wrong. Small businesses can indeed become easy targets for cybercriminals, as evidenced by data from CrowdStrike’s State of SMB Cybersecurity Survey. According to the survey, smaller organizations are disproportionately affected in cyberattacks: 29% of SMBs with fewer than 25 employees were hit in ransomware attacks. Moreover, despite admitting to being aware of cyber threats, two-thirds of SMB leaders said a lack of budget prevented them from making any security upgrades.

The takeaway for small businesses is clear: they cannot assume that they are immune to cyberattacks just because they’re smaller. In fact, the opposite may be true. With 70% of cyber incidents at small business accounts attributed to ransomware, according to Sophos’s annual threat report, it’s essential for these organizations to take proactive measures to protect themselves. This includes investing in robust cybersecurity tools and practices, as well as staying informed about emerging threats like this Interpol-themed campaign. By doing so, they can minimize their vulnerability to cyberattacks and avoid becoming the next victim of a ransomware scam.


Source: Dark Reading — 2026-07-02