Global Phishing Campaign Impersonates Interpol to Target Small Businesses with Ransomware

Fake Interpol "Cybercrime Investigation" Emails Deliver Custom Ransomware Globally

HIGH
July 2, 2026
6m read
PhishingRansomwareData Breach

Related Entities

Organizations

Products & Tech

Proton DriveTox

Full Report

Executive Summary

Cybersecurity researchers at Bitdefender have uncovered a widespread and ongoing phishing campaign targeting small businesses across the globe. Threat actors are impersonating the "Cybercrime Investigation Unit" at Interpol to lend legitimacy to their attacks. The campaign uses urgent and intimidating language to trick recipients into believing they are under investigation for fraudulent activity. Victims are directed to download supposed 'evidence' from a password-protected archive hosted on Proton Drive. This file, however, is a custom ransomware payload that encrypts the user's data. While the social engineering is effective, the ransomware itself is considered unsophisticated and contains a critical flaw: the decryption key is embedded within the malware, making recovery possible without paying the ransom.


Threat Overview

The attack is a classic example of phishing combined with authority impersonation. It targets a wide range of sectors, including technology, finance, and legal services, in multiple regions like the US, Europe, and Asia. The attack chain is as follows:

  1. Phishing Email: The victim receives an email purportedly from Interpol, claiming their organization is under investigation. The email uses a tone of authority and urgency to pressure the recipient into immediate action.
  2. Lure and Payload Delivery: The email contains a link to a Proton Drive archive and the password to open it. This two-step process can create a false sense of security. The archive is disguised as containing video evidence of the alleged crime.
  3. Execution: Inside the archive, the payload is a Windows executable masquerading as a video file. When the victim attempts to open it, the ransomware is executed.
  4. Encryption and Ransom: The malware encrypts files on the system's drives and displays a ransom note. Instead of a fixed amount, victims are instructed to negotiate payment via the encrypted messaging app Tox.

This campaign leverages the trusted names of Interpol and Proton Drive to bypass both technical defenses and human suspicion.

Technical Analysis

The attack relies heavily on social engineering (T1566.002 - Spearphishing Link) to achieve its goals. The use of a legitimate cloud storage service, Proton Drive, helps the attackers evade email security gateways that might block direct attachments or links to known malicious domains. The password-protected archive further obfuscates the payload from automated scanning.

The ransomware itself is described as custom-built and unsophisticated. The most significant technical detail discovered by Bitdefender is that the malware contains its own decryption routine and the corresponding key. This is a major operational security failure by the attackers. It means that with proper reverse engineering of the malware sample, a decryption tool can be created to recover the files for free. This suggests the threat actor is likely amateur or is using a poorly constructed public-source ransomware kit.

The final stage of the attack, communication via Tox for ransom negotiation, is a common tactic for smaller or less-established cybercrime groups, as it provides anonymity without the need to maintain complex dark web infrastructure.

Impact Assessment

For a small business without dedicated IT security staff, this attack can be devastating. The impact includes:

  • Data Unavailability: Critical business files become inaccessible, halting operations.
  • Financial Pressure: Even if the ransom demand is small, it can be a significant burden for an SMB.
  • Psychological Stress: The impersonation of a major law enforcement agency like Interpol is designed to cause fear and panic, leading to poor decision-making.

However, the flaw in the ransomware significantly reduces the long-term impact for victims who can obtain a decrypted version or a recovery tool from security vendors. The primary risk is the initial business disruption and the cost of incident response and recovery.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to detect related activity:

Type
Email Subject Pattern
Value
`(Investigation
Description
Suspicious Activity
Type
URL Pattern
Value
drive.proton.me
Description
While Proton Drive is a legitimate service, an increase in emails containing links to it from external sources could be a sign of this campaign.
Type
File Name
Value
evidence.zip, video_evidence.exe
Description
Look for files with names suggesting they are evidence, especially if they are executables disguised as other file types.
Type
Network Traffic Pattern
Value
Outbound connections to tox.chat
Description
Monitor for network traffic related to the Tox P2P messaging protocol, as this is the specified channel for ransom negotiation.

Detection & Response

  1. Email Filtering: Enhance email security gateways to flag or quarantine emails impersonating law enforcement agencies. Use DMARC, DKIM, and SPF to validate sender identity. Implement rules to warn users about emails containing links to file-sharing services combined with passwords in the email body.
  2. Endpoint Protection: Use an EDR or next-gen antivirus solution capable of behavioral analysis to detect the ransomware's encryption activity when it executes. This aligns with D3FEND's File Analysis (D3-FA).
  3. Incident Response Plan: If a system is infected, immediately isolate it from the network to prevent lateral spread. Secure a sample of the malware for analysis by a cybersecurity firm or vendor, as they may be able to extract the key and create a decryptor.
  4. User Reporting: Encourage users to report any suspicious emails, especially those that create a sense of pressure or fear.

Mitigation

  1. User Training: This is the most critical mitigation. Train employees to recognize the tactics of authority impersonation and social engineering. Specifically teach them that law enforcement agencies like Interpol will not initiate contact about a criminal investigation via a generic email with a link to a cloud archive.
  2. Block Executables from Archives: Configure endpoint security or email gateways to block users from running executables that originate from downloaded ZIP or other archive files.
  3. Application Allowlisting: Implement application allowlisting to prevent unauthorized executables from running. This would stop the custom ransomware payload from executing even if a user downloads and opens it, a core principle of D3FEND's Executable Allowlisting (D3-EAL).
  4. Regular Backups: Maintain regular, tested, and offline backups of all critical data. This ensures that even if a successful attack occurs, the business can restore its files without considering paying a ransom.

Timeline of Events

1
July 1, 2026
Bitdefender Antispam Lab publishes research on the Interpol impersonation campaign.
2
July 2, 2026
This article was published

MITRE ATT&CK Mitigations

The most effective defense is training users to identify social engineering tactics like authority impersonation and to be suspicious of unsolicited emails demanding urgent action.

Modern endpoint protection can detect and block the execution of the ransomware payload based on its behavior, even if the signature is unknown.

Mapped D3FEND Techniques:

Using application allowlisting would prevent the custom, unauthorized ransomware executable from running in the first place.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

Implement an advanced email security solution that performs deep URL analysis on all incoming messages. Specifically for this campaign, the system should be configured to flag emails containing links to legitimate file-sharing services like Proton Drive, especially when the email body also contains password-like strings. While the domain itself is legitimate, the context is highly suspicious. The security gateway should rewrite these URLs to pass them through a remote browser isolation (RBI) service or a sandbox environment upon click, allowing for real-time analysis of the linked content before it reaches the user's endpoint. This prevents the user from directly downloading the malicious archive and provides a critical layer of defense against payload delivery.

Utilize endpoint protection (EPP/EDR) with robust behavioral analysis and file content inspection. Since the ransomware is custom, signature-based detection may fail. The EDR should be configured to monitor for processes that perform rapid file encryption. Create a rule to alert or block any process that enumerates user directories and begins overwriting files with new extensions. Furthermore, if a user downloads the archive, the EDR's on-access scanner should be able to inspect the contents. Even if encrypted, the presence of a Windows executable within an archive from an email link should be flagged as high-risk. This provides a last line of defense on the endpoint if the user is successfully phished.

Timeline of Events

1
July 1, 2026

Bitdefender Antispam Lab publishes research on the Interpol impersonation campaign.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

InterpolPhishingRansomwareSocial EngineeringProton DriveBitdefender

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.