Skip to main content
Emerging ThreatsMalware & Ransomware

Ransomware Attacks Targeted via Fake Interpol Emails

Person at desk looks concerned while staring at laptop in a brightly-lit office setting with blurred law enforcement logo…

"One of the biggest red flags in this campaign is the delivery method itself. While the attackers impersonate Interpol, legitimate law enforcement agencies don't send unsolicited emails containing Proton Drive links to password‑protected files and ask organizations to review alleged evidence of wrongdoing," wrote Alina Bizga of Bitdefender.

How the attackers impersonate Interpol

According to a Bitdefender Antispam Lab blog post published on July 1, cybercriminals are sending phishing emails that claim to come from the "Cybercrime Investigation Unit" at Interpol. The messages tell recipients their business may have been involved with or subject to suspicious or fraudulent activity and urge them to "urgently" open an attached file that supposedly contains evidence to be reviewed. By invoking an international law‑enforcement brand and suggesting involvement in criminal activity, the campaign seeks to trigger an immediate, unreflective response.

How the infection is delivered and what the malware does

The malicious file is stored on Proton Drive and reachable through a link embedded in the fraudulent email. The link points to a password‑protected file; the password is included in the same message, a step intended to lower friction and push recipients to open the file. When the target follows the link and opens the file, they are led to an executable disguised as a video file. If run, that executable installs ransomware on the system.

Bitdefender’s researchers note the ransomware implant in this campaign "doesn’t even appear to have a name" and is relatively simple, lacking many of the advanced functions commonly associated with major ransomware operations.

Negotiation by private messenger: Tox replaces an on‑page ransom demand

The attackers do not post a conventional ransom figure in an extortion note. Instead, the ransom note instructs victims to contact the operators through Tox, a peer‑to‑peer private messaging service. As Alina Bizga explains, "This approach has become increasingly common among ransomware operators. Rather than demanding the same amount from every victim, attackers often prefer to negotiate after establishing contact." Bitdefender adds that final demands may depend on the size of the organization, the perceived value of its data and its ability to pay.

Who has been targeted

Bitdefender reports the phishing campaign has targeted small businesses across Europe, Asia, the Middle East and North America. Industries named as recipients include food and agriculture, legal services, pharmaceuticals, media, technology and finance. The geographic spread and the range of sectors indicate the operation is not narrowly focused on a single industry or region.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: Verify the provenance of unsolicited messages that claim to involve law enforcement, and treat password‑protected cloud links delivered by email as high‑risk. The attackers deliberately include the file password in the message to encourage opening; that combination should trigger additional inspection before any file is executed.
  • Procurement and enterprise leaders: Small businesses were singled out in this campaign. Those responsible for buying and onboarding software or cloud services should ensure staff know not to run executables that arrive via email disguised as benign files, and to route suspicious legal or law‑enforcement claims through established corporate channels.
  • End users and the general public: Exercise skepticism about urgent, unsolicited notices alleging wrongdoing, especially when the notice asks you to follow a link to a password‑protected file. As Bitdefender’s blog notes, it is "highly unlikely" that a legitimate law enforcement agency would reach out in that manner.

Bitdefender’s practical guidance is straightforward: verify unsolicited correspondence before acting and, when in doubt, reach out to official channels rather than following embedded links. The campaign is a reminder that social engineering — here, impersonating an international police unit and leveraging fear of criminal exposure — remains a low‑cost, high‑yield tactic for spreading ransomware. Whether the operators behind this simple implant will scale up technical sophistication or continue to rely on negotiation via services like Tox is an open question; for now, the clearest defense is skepticism and verification.

Original story