Fake Interpol Emails Are Hitting Small Businesses With Ransomware. The Attackers Left the Decryption Key Inside the Malware.
Picture getting an email that says Interpol is investigating your company. The header looks official. The sender claims to be from the cybercrime division. They write that investigators have obtained video evidence of suspicious activity tied to your organization and are giving you the chance to review the material before formal action is taken.
What do you do? Most people panic. Some forward it to their boss. A lot of them click the link. That’s exactly what these attackers are counting on.
Bitdefender’s Antispam Lab disclosed this campaign last week after tracking it across businesses in the United States, Europe, Asia, and the Middle East.[1] The targeted industries are all over the map: food and agriculture, legal services, pharmaceuticals, media companies, technology firms, finance. Small and mid-sized businesses are the primary targets, picked specifically because they’re less likely to have a dedicated security team who’d catch it before someone clicks.[2]
How the Attack Actually Works
The email arrives with the standard authority-and-urgency combo that makes social engineering so effective. It claims to be from Interpol’s cybercrime investigation unit, says your organization is under scrutiny, and directs you to review evidence hosted on Proton Drive. Conveniently, the password to open the archive is right there in the email body.[1]
Once you enter the password, you see what looks like a video file documenting the alleged criminal conduct. It’s not a video. It’s an executable disguised to look like one. Double-click it and the ransomware runs.
The payload is custom-built, not a known ransomware strain that security tools have signatures for.[3] The ransom note doesn’t list an amount. It tells you to contact the attackers through a Tox chat ID and warns that running a malware scan will “complicate the recovery process.” That line is designed to stop you from doing the one thing that might help. The ransom demand itself comes later, sized to the organization after the attacker researches what you’re worth.[2]
The Decryption Key Was Already There
Here’s the part that tells you something important about who built this.
When Bitdefender researchers analyzed the ransomware binary, they found the decryption key hardcoded inside the malware itself.[4] That means anyone who got hit could potentially recover their files without paying and without contacting the attackers at all. The key to unlock your data was sitting right next to the code that locked it.
This isn’t how professional ransomware groups operate. Established ransomware-as-a-service operations keep decryption keys on their own servers, only handed over after payment clears. Having the key baked into the payload is either a serious operational mistake or a sign this was thrown together quickly. There’s no dedicated victim portal, no public leak site for double extortion, none of the infrastructure organized ransomware groups build out.[3]
What that tells us: the attacker’s real leverage is the fear of Interpol, not the ransomware itself. Get someone scared enough that they’re being investigated by an international law enforcement agency, and they might wire money before they think to call their IT person.
Why Law Enforcement Makes Such Good Bait
I’ve seen a lot of phishing tactics over the years. CEO impersonation, fake invoice emails, fake shipping notices. They all work because they create a plausible reason to act quickly without thinking too hard.
Law enforcement impersonation is something different. Most small business owners don’t have a legal team on retainer or a security operations center. If someone credible-looking says Interpol has video of your company doing something wrong, that registers differently than a fake FedEx notification. The fear response is immediate. That’s the whole point.
Real law enforcement doesn’t send unsolicited emails with Proton Drive links and password-protected archives asking you to review evidence.[1] Full stop. That’s not how any of this works. If you or anyone at your company gets something like this, treat it as a phishing attempt, report it to your IT team, and don’t open anything attached to it.
What You Should Do
A few concrete things worth doing right now:
First, share this with anyone at your company who handles email, which is everyone. The technical details matter less than the awareness that this specific tactic is active and targeting small businesses this month. One sentence to your staff covers it: “There are fake Interpol investigation emails circulating that deliver ransomware. Do not open attachments or click links in any email claiming to be from law enforcement, and call IT immediately if you see one.”
Second, make sure your email security isn’t running on defaults. Most built-in spam filters catch the obvious stuff but miss targeted campaigns using legitimate cloud hosting like Proton Drive. A third-party email security layer with sandboxing analyzes what those links actually deliver before they reach your inbox.
Third, if anyone in your organization gets hit by ransomware of any kind, don’t pay first. Call your IT provider or a security firm before doing anything. In this specific campaign, the decryption key was already inside the payload, meaning researchers were able to recover files without paying. Panicking and wiring money is exactly what the attackers want, and in this case it might not even be necessary.
Want someone to take a look at your current email security setup, or have questions about protecting your business from this kind of attack? Reach out here or call us at (412) 307-8313.
- Bitdefender Hot For Security, “Fake Interpol Investigation Emails Target Small Businesses with Ransomware,” bitdefender.com
- Security Boulevard, “Ransomware Campaign Uses Fake Interpol Notices to Target Small Businesses,” securityboulevard.com
- Dark Reading, “Ransomware Thugs Masquerade as Interpol to Entice Small Biz,” darkreading.com
- SC Media, “‘Interpol’ Emails Spread Custom Ransomware with Decryption Key Left Inside,” scworld.com