
Fake Interpol Ransomware Emails Are Hitting Small Businesses
.webp)
A fake Interpol ransomware campaign is spreading across small businesses in the United States, Europe, Asia, and the Middle East. Attackers pose as international police investigators to convince victims they are under criminal investigation. The message then pushes them toward a file that encrypts their systems.
Security researchers at Bitdefender documented the operation and traced its reach across multiple continents. The campaign leans on fear rather than technical sophistication, and that combination is proving effective against smaller organizations with fewer defenses in place.
How the Fake Interpol Ransomware Campaign Works
The attack starts with an email claiming to come from Interpol. It tells the recipient their business is under investigation for criminal activity, and that investigators hold video evidence to prove it. The message urges them to review the footage immediately, before any formal action follows.
That urgency is the point behind the fake Interpol ransomware lure, since a worried business owner wants answers fast. The email links to a password-protected archive hosted on Proton Drive, where a file sits disguised as a video. Opening it does not play footage, it instead launches a ransomware payload that encrypts local files and folders.
Victims do not receive a fixed ransom demand. Instead, the malware directs them to reach out through Tox, an encrypted peer-to-peer messaging platform popular among cybercriminals. Negotiations happen there, and the price often shifts based on what the attackers believe the victim can afford to pay.
Bitdefender's analysis found the payload itself is fairly basic. It relies on hardcoded encryption and decryption passwords rather than the more advanced techniques found in larger ransomware operations. There is no custom obfuscation layer, but the payload still gets the job done. That is because the surrounding social engineering does the heavy lifting, not the code itself.
Why Small Businesses Keep Getting Hit
Pharmaceutical, food, agriculture, technology, media, and legal firms have all turned up among the victims. That spread across industries suggests attackers are not chasing a single sector. They are chasing weak defenses wherever they find them, and small businesses fit that profile more often than larger enterprises.
Small firms show up again and again in campaigns like this one, and research from CrowdStrike explains why. Budget constraints stop many SMB leaders from upgrading their security stack, even when they know the risk exists. That gap leaves openings in email filtering, endpoint protection, and staff awareness training that larger companies can afford to close.
Industry claims data also shows ransomware accounts for a disproportionate share of incidents at small and midsize businesses. Attackers know this, so campaigns like the fake Interpol ransomware operation are built specifically to exploit it. There is a reporting problem layered on top of the technical one. Separate research found that most organizations admit they do not report breaches even when they know they should.
Some worry about reputational damage, while others assume law enforcement cannot help. That silence has a cost, since it lets attackers refine the same playbook and reuse it against the next target with little risk of exposure. A campaign built around a fake Interpol warning only needs to work once in a while to stay profitable, and quiet victims make that math easier for the people running it.
What Businesses Can Do
Employee awareness remains the strongest defense against the fake Interpol ransomware campaign and others built the same way. Staff should treat unsolicited emails claiming to be from law enforcement with suspicion, especially when they demand urgent action or push toward a compressed file download. Legitimate law enforcement agencies rarely initiate contact through unsolicited email attachments, and they do not ask targets to open password-protected archives to view evidence. Any message that follows this pattern deserves verification through official channels first.
Basic technical controls also matter against fake Interpol ransomware and similar impersonation scams. Email filtering that flags password-protected archives, endpoint detection that can catch encryption behavior early, and regular offline backups all reduce the damage a successful click can cause. Reporting matters too, because when a business reports an incident to law enforcement or an industry information-sharing group, that data helps others recognize the same pattern before it reaches them.
The fake Interpol ransomware campaign works because it catches people off guard. Awareness, verification habits, and a willingness to report incidents all chip away at that advantage.
Subscribe to receive the latest blog posts to your inbox every week.