Mission

Fake Interpol Emails Are Delivering Ransomware to Small Businesses

Fake Interpol Emails Are Delivering Ransomware to Small Businesses

Know what attackers see before they do. See a sample Radar scan report →

You get an email. It says Interpol's cybercrime unit is reviewing your company. There's a file attached, password protected, password right there in the email so you don't even have to think about it. Open it up, see what they're accusing you of.

That's the setup. And it's ransomware.

How the Scam Actually Works

Researchers at Bitdefender documented this campaign hitting small and mid-sized businesses across legal services, pharmaceuticals, food and agriculture, media, and tech, in the US, Europe, Asia, and the Middle East. Here's the chain:

  1. The email arrives claiming to be from Interpol's cybercrime investigation unit. It says your company may be under review for suspicious activity. That's the hook. Nobody wants to ignore a message like that.
  2. It links to a file hosted on Proton Drive, not a shady link shortener or a sketchy domain. Proton Drive is a real, legitimate service, which is exactly why it doesn't trip most link-reputation filters.
  3. The file is a password-protected archive, and the password is sitting right in the email. This is the clever part. Your email security tool can't scan inside a password-protected zip file. It doesn't have the password. So the attacker just hands it to you, and you do the work of unlocking your own trap.
  4. Inside the archive is an executable disguised as a video file. Someone in a hurry, worried about a law enforcement inquiry, isn't checking file extensions closely.
  5. Once opened, it encrypts every drive it can reach and drops a ransom note. Instead of a slick dark web negotiation portal, victims get a Tox chat ID. That detail tells researchers this is likely a custom, independent operation, not one of the big-name ransomware brands. That doesn't make it less dangerous. It makes it less predictable.

Why This One Gets Past Your Defenses

Every layer of this attack is built to slide past the specific tool meant to catch it:

  • Password protection defeats attachment scanning. This is the whole trick. Any antivirus or email gateway that scans attachments for malware needs to actually open the file to check it. A password blocks that.
  • A legitimate hosting platform defeats link reputation checks. Proton Drive isn't on anyone's blocklist. Why would it be?
  • A fake video icon defeats a distracted employee. Windows hides file extensions by default. Someone under pressure isn't going to notice .mp4.exe.
  • Authority and urgency defeat judgment. "Interpol is investigating your company" produces exactly the reaction attackers want: act now, think later.

None of this requires a zero-day. None of it requires breaking into your network. It requires one employee, one bad moment, and a file they weren't supposed to open.

What Actually Stops This

You can't patch your way out of a social engineering attack, but you can build habits and controls that hold up when the pressure hits:

  • Show file extensions on every Windows machine. It's one setting (File Explorer > View > Show file extensions) and it's the single easiest way to catch a .exe pretending to be a .mp4.
  • Treat any unsolicited "you're under investigation" email the same way, regardless of who it claims to be from. Real agencies don't email companies demanding they open password-protected files on a deadline. Verify through a phone number you look up yourself, never one provided in the email.
  • Block or flag password-protected archives at the email gateway if your provider supports it. If your business has no legitimate reason to receive locked zip files from strangers, there's no reason to let them through untouched.
  • Keep offline, tested backups. If this or anything like it gets through, the difference between a bad afternoon and a company-ending event is whether you can restore without paying.
  • Train employees on this specific pattern, not generic "watch for phishing" advice. The fake-authority-plus-urgency script works because it's specific. Your training should be specific back.

The Bigger Point

This campaign will fade, and another one shaped just like it will take its place next month with a different agency's name on it. The IRS, a state licensing board, a data protection authority, whatever creates the most panic in your industry. The mechanics don't change. Authority, urgency, a file you're told to open before you've had time to think.

Email defenses stop what they can recognize. This campaign was built specifically to not be recognized. That gap between what your tools catch and what actually reaches your employees is where these attacks live, and it's the same gap attackers look for when they scan your business from the outside.

Take Action

If you want to know what an attacker sees when they look at your business from the outside, that's what we do. Oscar Six Security's Radar gives small businesses and MSPs an affordable external vulnerability scan for $99, no retainer, no enterprise contract. You get a clear, plain-language report on what's exposed and what to fix first.

Focus Forward. We've Got Your Six.

Frequently Asked Questions

What is the fake Interpol ransomware email scam?

It's a phishing campaign where attackers send an email claiming to be from Interpol's cybercrime investigation unit, saying your company is under review. The email links to a Proton Drive file protected by a password included right in the message. Opening it runs a custom ransomware payload disguised as a video file.

Why does a password-protected archive bypass antivirus and email scanners?

Most email security tools scan attachments and links for known malware signatures. A password-protected zip or rar file can't be scanned, because the scanner doesn't have the password. Attackers hand you the password in plain text specifically so you'll unlock the file yourself and do the scanner's job of hiding the payload for them.

How do I know if an email claiming to be from law enforcement is real?

Real law enforcement agencies do not investigate companies over email and demand you open password-protected files under time pressure. If you get one of these, don't click anything. Call your attorney or verify directly with the agency using a phone number you look up yourself, not one in the email.

Is my small business a realistic target for this kind of attack?

Yes. Bitdefender's research on this campaign found it hitting legal, pharmaceutical, food and agriculture, media, and technology companies across the US, Europe, Asia, and the Middle East. Small businesses are specifically attractive because they usually don't have a security team to catch this before an employee opens the file.

Find out what's exposed. Radar scans your external attack surface and shows you exactly what needs fixing. See a sample report →