-
Criminals use fake Interpol emails to trick small business staff into opening password-protected archives containing custom ransomware.
-
The malware locks files and forces victims to negotiate ransom payments via Tox chat, with no fixed price, suggesting a targeted, small-scale operation.
-
Companies should enforce safety measures such as train workers to verify unexpected official notices, and others, to stay safe.

Criminals are sending bogus emails, posing as legitimate Interpol correspondence, to convince small company employees to download ransomware. These messages push recipients to open files that supposedly contain proof of shady company dealings.
Bitdefender’s security team uncovered the scheme, which relies on formal jargon, pressing subject lines, and law enforcement logos to scare workers into thinking their employer is under scrutiny. The emails claim that officials have obtained sensitive materials, including recorded footage, linked to the company’s internal systems.
The emails avoid carrying direct malicious attachments. Rather, they point users to a Proton Drive link holding a password-protected compressed folder. By giving the password inside the message, the scammers make the request seem ordinary while dodging basic antivirus scans.
Extracting the archive presents a file that looks like a video. But Bitdefender warns that this file hides a ransomware payload beneath several layers of compression. Once active, the harmful program locks files on connected drives and presents a ransom demand. The note tells victims not to tamper with encrypted data. It also gives them a Tox chat ID to contact the thieves.
Inside the Ransomware Operation
The ransom note does not indicate the exact amount of money it sought. This suggests the criminals wait for victims to reach out, then haggle based on the company’s size and the perceived worth of the locked data.
Researchers believe this is unique, custom-engineered software and not an offshoot of a known ransomware criminal organization. The malware contains hardcoded values and uses encryption passwords, unlike many high-end ransomware variants that possess more advanced functionality. This points to a smaller, more personal operation.
The negotiation method also stands out. It does use the usual dark web sites or portals, as most ransomware gangs do, to interact with and provide payment instructions to victims. Here, the attackers only offer a Tox chat ID. There is no separate victim portal, which further indicates this is not a large-scale professional outfit.
The attacks have shown up across multiple continents, hitting Europe, Asia, the Middle East, and the US. Bitdefender spotted victims in food production, legal practices, drug companies, media outlets, tech firms, and financial services. The wide range of industries and regions suggests the scammers are trying their luck everywhere.
Why Crooks Are Picking on Smaller Companies
Criminal groups believe that they can exploit small businesses as a source of their income from ransomware because those firms generally do not have adequate IT infrastructure or knowledge of how to defend against cyber threats.
Employees are more likely to react by receiving a message that appears to come from a global organization such as Interpol.
The cybercrime ecosystem is multifaceted, while some criminals deploy ransomware, others focus on stealing and selling data, as seen in the Ledger breach, where user records have appeared for sale on the dark web.
So, they may also likely open the attachments in that email without thinking. The threat of a fraud probe or regulatory trouble only adds to the panic.
The official tone and police-style branding make the emails appear genuine. Workers may not feel comfortable questioning a message that claims to be from Interpol. The Proton Drive link also adds a layer of trust, since it is a well-known cloud service.
The criminals are counting on the faith people put in official-looking communications. They do not directly ask for passwords or money up front. Instead, they get victims to open a file that appears connected to a real investigation.
This tactic follows a familiar pattern seen in other scams. Past campaigns have faked emails from the FBI and Europol to spread malware. Mimicking Interpol gives this one a fresh twist.
Defending Your Business Against These Scams
Business owners should teach their teams to treat unexpected legal notices with suspicion. Before taking any action from legal notices sent via a cloud link, employees should verify the sender of the notice through a third-party method.
One of the easiest ways to see if a file is malicious is by checking the file extension, as some files can look like normal documents but may in fact contain executables.
A note of caution is that an employee should not execute files that appear as video files, PDFs, or evidence packets unless they know where they came from. The fake Interpol emails rely on password-protected archives to slip past basic security checks. That means some anti-virus software may not detect the malware until after its execution.
Implementing better email filters and endpoint protection may help. Good security software can stop any malicious attachments or links from getting to an inbox. Having backups in place will give a business an option if someone utilizes ransomware against them.
This type of campaign demonstrates that ransomware tactics are changing in how they attack. As larger companies improve their security, criminal organizations are finding new targets in smaller ones. Training employees to identify these types of attacks is the best form of defense against them.